On 27/03/2020 21:07, Viktor Dukhovni wrote: > That function should only affect the server -> client direction. > Briefly, in OpenSSL 1.1.1 it affected both the client and server > directions, but this was fixed in OpenSSL 1.1.1a. If Centos is following the same pattern in 8 as they did in 7, they do list the letter when there is one; I have a 7 system claiming "1.0.2k-fips". So: > If the distro started with 1.1.1 and only backported security fixes, you > could be running an OpenSSL version with the unintentional bidirectional > setting. .. either this, or even an unpatched basic 1.1.1 . A simple code addition to avoid that call in the client case sounds in order. Would the above likely explain the error I'm getting? > Another possibility is that your system-wide openssl.cnf file has a > "RequestCAFile" or "ClientCAFile" setting. Neither appears to be present in /etc/pki/tls/openssl.cnf -- Cheers, Jeremy
