x509 CA Get Certificate fails with CertConnectionError
Trying to connect to our x509 CA to get the User certificate the operation fails with CertConnectionError.
I downloaded the latest experimental tree, built it and noticed the following in the logs:
2018-01-11 15:00:19.456820+0200 NoMAD[3017:590541] level: base - Updating User Info
2018-01-11 15:00:19.457023+0200 NoMAD[3017:590577] level: debug - Starting reachability check.
2018-01-11 15:00:19.495257+0200 NoMAD[3017:590577] [BoringSSL] Function boringssl_session_errorlog: line 2814 [boringssl_session_handshake_continue] SSL_ERROR_SSL(1): operation failed within the library
2018-01-11 15:00:19.495357+0200 NoMAD[3017:590577] [BoringSSL] Function boringssl_session_handshake_error_print: line 2753 boringssl ctx 0x1013a4390: 4588570928:error:100000f0:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.30.8/ssl/handshake_client.c:970:
2018-01-11 15:00:19.495408+0200 NoMAD[3017:590577] [BoringSSL] Function boringssl_context_get_os_status: line 4252 SSL_AD_PROTOCOL_VERSION
2018-01-11 15:00:19.497296+0200 NoMAD[3017:590577] TIC TCP Conn Failed [1:0x600000170140]: 3:-9802 Err(-9802)
2018-01-11 15:00:19.497431+0200 NoMAD[3017:590577] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2018-01-11 15:00:19.497468+0200 NoMAD[3017:590577] Task <70DACFAF-8A2E-4533-A6E8-73760624AD3E>.<1> HTTP load failed (error code: -1200 [3:-9802])
2018-01-11 15:00:19.497621+0200 NoMAD[3017:591136] Task <70DACFAF-8A2E-4533-A6E8-73760624AD3E>.<1> finished with error - code: -1200Connection properties when manually connecting with openssl s_client -connect fqdn.domain.tld:443 outputs the following:
SSL handshake has read 1877 bytes and written 336 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 470C0000641AAB7B258791486B6C636CDE0A7F396F68FEF555B1BD37617DFA6C
Session-ID-ctx:
Master-Key: 9F4E79D108159326BE33C47E8F71F252E2D0055259A12E79C557AFBA91B65ADBB8F09E1C3304ADA9D13148E46A713B03
Start Time: 1515670313
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---(AFAIK It's not able to verify the issuer because it does not read root certs from keychain access, the issue certificate is trusted there)
I tried to look up for possible solutions using the various boringssl function names and error messages, but did not get far.
MacOS High Sierra 10.13.2