Hi.
I have Debian Forky (Debian testing) setup and generated self-signed
certificate on that machine.
I cannot TLS connect to server with that certificate configured, with
OpenBSD's openssl as a client. Problem is visible with Python, curl,
wget. As expected, node-js can successfully connect and fetch the
content. IP address 192.168.201.130 is the Debian machine.
$ openssl x509 -noout -text -in server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
26:07:be:df:99:48:15:15:d7:c9:59:c2:10:ab:fb:62:17:60:a5:a3
Signature Algorithm: Ed25519
Issuer: CN=172.17.0.1
Validity
Not Before: May 15 10:49:28 2026 GMT
Not After : May 15 10:49:28 2027 GMT
Subject: CN=172.17.0.1
Subject Public Key Info:
Public Key Algorithm: Ed25519
Ed25519 Public-Key:
pub:
2d:cd:10:d8:76:11:69:48:e6:2a:1f:55:fc:45:5b:
65:6a:ec:a8:30:89:be:20:3c:82:d4:7e:be:94:16:
8a:02
X509v3 extensions:
X509v3 Subject Key Identifier:
43:FF:97:60:94:A7:88:00:FE:9A:9A:B9:B1:F3:C4:1B:46:F8:84:21
X509v3 Authority Key Identifier:
keyid:43:FF:97:60:94:A7:88:00:FE:9A:9A:B9:B1:F3:C4:1B:46:F8:84:21
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:172.17.0.1, IP Address:192.168.0.236, IP
Address:192.168.201.130
Signature Algorithm: Ed25519
d5:d1:97:07:d8:23:76:b3:d6:03:45:6f:4b:52:56:f6:ca:56:
fc:11:c8:1c:2e:08:ad:27:6a:4e:eb:8e:de:98:21:31:9b:a5:
a3:11:4e:06:88:7d:c7:33:75:36:30:7b:ad:1f:54:07:79:f7:
d7:a3:14:15:ba:0f:3a:fd:4b:0e
$ sysctl -n kern.version
OpenBSD 7.9-current (GENERIC.MP) #478: Fri May 15 12:43:18 MDT 2026
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
$ wget https://192.168.201.130:8999
--2026-05-17 08:15:50-- https://192.168.201.130:8999/
Connecting to 192.168.201.130:8999... connected.
OpenSSL: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert
handshake failure
Unable to establish SSL connection.
$ curl -kvs https://192.168.201.130:8999
* Trying 192.168.201.130:8999...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* TLS connect error: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3
alert handshake failure
* closing connection #0
$ echo : | openssl s_client -connect 192.168.201.130:8999 -showcerts
CONNECTED(00000003)
4008357358888:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert
handshake failure:/usr/src/lib/libssl/tls13_lib.c:167:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1505 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1778927623
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
$ echo : | openssl s_client -connect 192.168.201.130:8999 -showcerts
CONNECTED(00000003)
7907245047080:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert
handshake failure:/usr/src/lib/libssl/tls13_lib.c:167:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1505 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1778927773
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
$ echo : | eopenssl35 s_client -connect 192.168.201.130:8999 -showcerts
Connecting to 192.168.201.130
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=172.17.0.1
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=172.17.0.1
verify return:1
---
Certificate chain
0 s:CN=172.17.0.1
i:CN=172.17.0.1
a:PKEY: ED25519, 256 (bit); sigalg: ED25519
v:NotBefore: May 15 10:49:28 2026 GMT; NotAfter: May 15 10:49:28 2027 GMT
-----BEGIN CERTIFICATE-----
MIIBbTCCAR+gAwIBAgIUJge+35lIFRXXyVnCEKv7YhdgpaMwBQYDK2VwMBUxEzAR
BgNVBAMMCjE3Mi4xNy4wLjEwHhcNMjYwNTE1MTA0OTI4WhcNMjcwNTE1MTA0OTI4
WjAVMRMwEQYDVQQDDAoxNzIuMTcuMC4xMCowBQYDK2VwAyEALc0Q2HYRaUjmKh9V
/EVbZWrsqDCJviA8gtR+vpQWigKjgYAwfjAdBgNVHQ4EFgQUQ/+XYJSniAD+mpq5
sfPEG0b4hCEwHwYDVR0jBBgwFoAUQ/+XYJSniAD+mpq5sfPEG0b4hCEwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCBaAwGwYDVR0RBBQwEocErBEAAYcEwKgA
7IcEwKjJgjAFBgMrZXADQQDV0ZcH2CN2s9YDRW9LUlb2ylb8EcgcLgitJ2pO647e
mCExm6WjEU4GiH3HM3U2MHutH1QHeffXoxQVug86/UsO
-----END CERTIFICATE-----
---
Server certificate
subject=CN=172.17.0.1
issuer=CN=172.17.0.1
---
No client certificate CA names sent
Peer signature type: ed25519
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 1821 bytes and written 1604 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B726614F2AE4A46B15FC91C51ACCD47A3812B880614BB103326284E7F0D4CD00
Session-ID-ctx:
Resumption PSK:
854C617A93466B5EAD4D7A88654C0C0F0F3C4D6BFB27939CEC8D9C7B9FA92E246B6A043CC4F7D4C4A7390DC513A60F45
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 25 64 3b f4 61 f2 60 fe-ee 4d 63 df 44 35 14 1a %d;.a.`..Mc.D5..
0010 - 59 1a 67 99 ff 41 4a 60-c0 1f bf a6 89 4b 89 0b Y.g..AJ`.....K..
0020 - 98 eb 0c a4 7c 9d 84 c2-f4 26 b2 2f 32 3a 59 bd ....|....&./2:Y.
0030 - 5e dc d3 dd 6f f9 17 14-2e f3 e1 22 0f 11 23 a2 ^...o......"..#.
0040 - d4 61 5c 13 4a b8 6b 70-6b 2e 02 4d 5d 0b c3 17 .a\.J.kpk..M]...
0050 - b7 95 a6 8c 76 9f b3 b1-3c 76 ba 7d 9b e3 af 24 ....v...<v.}...$
0060 - 8c 45 c1 2d 95 2a b1 ea-83 99 e0 4e 15 2b a3 9b .E.-.*.....N.+..
0070 - c8 6c 13 e2 af b1 4c 46-b4 78 d0 f1 86 ea 2b a2 .l....LF.x....+.
0080 - ba b7 21 33 41 4e 0a f5-80 03 88 5b e7 cf fb f1 ..!3AN.....[....
0090 - 36 4e f3 84 40 84 2f 47-00 1e 76 19 1d 9e 15 8f 6N..@./G..v.....
00a0 - 84 92 42 b0 3d f2 0e 05-17 ad c9 36 c1 90 2e 7f ..B.=......6....
00b0 - 34 52 26 46 2a 5c fa 8e-31 3c e3 98 6b 64 04 45 4R&F*\..1<..kd.E
00c0 - 13 ae 8a 27 b1 38 43 45-a7 71 24 01 75 f0 59 e7 ...'.8CE.q$.u.Y.
Start Time: 1778927780
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B4A876F0E657FB76DF0AD2301EA85C71A1FCFCED24FD84B99D35FC5F403A6716
Session-ID-ctx:
Resumption PSK:
0A38A61C060A4278B64D62A1B89138854B608300DA394AE44106898FE9E0CAB00DC7B5F02425F44CB6C47D5EF0F84781
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 25 64 3b f4 61 f2 60 fe-ee 4d 63 df 44 35 14 1a %d;.a.`..Mc.D5..
0010 - 22 c5 1f 88 d4 8a 9f f0-4e 11 26 2c 61 8a 5d 29 ".......N.&,a.])
0020 - be f8 a2 e4 9c d4 90 36-c6 5f 9a 4a 83 21 c5 c1 .......6._.J.!..
0030 - 57 81 a9 76 ef 82 46 d5-8b 78 a8 37 4f 6b 2f df W..v..F..x.7Ok/.
0040 - d2 ee 97 dd 9e 35 a3 6b-26 d8 97 f6 fd 9b 5b 4e .....5.k&.....[N
0050 - 81 0e 6a 06 73 15 2f 69-0c 37 22 cf 72 5c 6b 19 ..j.s./i.7".r\k.
0060 - 0b d7 0b 67 cd ef da 13-77 10 f9 ad d8 19 ec 1c ...g....w.......
0070 - 5b 26 34 ae 74 a4 98 0e-96 2c f1 ec 27 78 52 60 [&4.t....,..'xR`
0080 - ae f0 f4 81 73 0e d9 2d-a8 e9 bc 4c 87 93 79 c2 ....s..-...L..y.
0090 - e6 2d 5d 87 b9 dd ef d0-a2 b9 42 dc f9 35 d1 14 .-].......B..5..
00a0 - 58 04 d9 bf 89 bf 68 45-72 dd f9 58 2a 55 1a 92 X.....hEr..X*U..
00b0 - df 59 92 21 e8 74 7d 92-7b 4b f7 2b bc 28 e1 4b .Y.!.t}.{K.+.(.K
00c0 - e4 42 66 30 8f 7f 7b d0-62 c4 dd 30 24 6a c8 ee .Bf0..{.b..0$j..
Start Time: 1778927780
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
$ echo : | eopenssl40 s_client -connect 192.168.201.130:8999 -showcerts
Connecting to 192.168.201.130
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=172.17.0.1
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=172.17.0.1
verify return:1
---
Certificate chain
0 s:CN=172.17.0.1
i:CN=172.17.0.1
a:PKEY: ED25519, 256 (bit); sigalg: ED25519
v:NotBefore: May 15 10:49:28 2026 GMT; NotAfter: May 15 10:49:28 2027 GMT
-----BEGIN CERTIFICATE-----
MIIBbTCCAR+gAwIBAgIUJge+35lIFRXXyVnCEKv7YhdgpaMwBQYDK2VwMBUxEzAR
BgNVBAMMCjE3Mi4xNy4wLjEwHhcNMjYwNTE1MTA0OTI4WhcNMjcwNTE1MTA0OTI4
WjAVMRMwEQYDVQQDDAoxNzIuMTcuMC4xMCowBQYDK2VwAyEALc0Q2HYRaUjmKh9V
/EVbZWrsqDCJviA8gtR+vpQWigKjgYAwfjAdBgNVHQ4EFgQUQ/+XYJSniAD+mpq5
sfPEG0b4hCEwHwYDVR0jBBgwFoAUQ/+XYJSniAD+mpq5sfPEG0b4hCEwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCBaAwGwYDVR0RBBQwEocErBEAAYcEwKgA
7IcEwKjJgjAFBgMrZXADQQDV0ZcH2CN2s9YDRW9LUlb2ylb8EcgcLgitJ2pO647e
mCExm6WjEU4GiH3HM3U2MHutH1QHeffXoxQVug86/UsO
-----END CERTIFICATE-----
---
Server certificate
subject=CN=172.17.0.1
issuer=CN=172.17.0.1
---
No client certificate CA names sent
Peer signature type: ed25519
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 1821 bytes and written 1610 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
ECH: NOT CONFIGURED: -103
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 868905576957C72F5C0E18549B886D9E5E9921F2D99A4EFAD24FC5619B852E99
Session-ID-ctx:
Resumption PSK:
7E9D0D639C5E17436A8C5B0E80976D56BFDCABC0379533BE20F325D124A235A6B43263CF4E23F769E2492970F3FEF0D0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 25 64 3b f4 61 f2 60 fe-ee 4d 63 df 44 35 14 1a %d;.a.`..Mc.D5..
0010 - 9f 99 29 5f 27 c0 cc 3f-aa 88 00 6d e2 b2 76 6b ..)_'..?...m..vk
0020 - 2a 09 f4 27 90 3a 2c d4-81 67 9f 72 28 c6 55 c7 *..'.:,..g.r(.U.
0030 - 9c 98 7a 44 2f de 10 6c-4c e8 42 6d c8 d2 39 96 ..zD/..lL.Bm..9.
0040 - 20 17 5a b5 a5 1b 12 5e-23 aa a0 b4 d9 84 f4 3f .Z....^#......?
0050 - 2a f2 77 cb 8c ef a9 4c-82 7c 07 df 13 ce 05 8c *.w....L.|......
0060 - e1 21 9d 85 27 e6 9d 8b-c2 c7 a7 05 5f 08 28 f0 .!..'......._.(.
0070 - 19 6b 5e 67 29 4b d8 18-b7 58 eb 94 af 22 ba b5 .k^g)K...X..."..
0080 - b1 5b c2 05 12 ce f4 9a-23 9d 31 cb fd 65 fc aa .[......#.1..e..
0090 - 47 33 6e f8 3d ae 71 3e-42 d2 f6 91 d7 a3 58 1c G3n.=.q>B.....X.
00a0 - 4c f4 06 b9 d6 d0 77 80-67 e8 a1 4b 9f 92 0b 76 L.....w.g..K...v
00b0 - 86 a6 1e b5 06 a8 cb 66-b3 59 27 8f 59 6d 6f e2 .......f.Y'.Ymo.
00c0 - 32 24 03 f8 88 1a 3e a3-84 df af a2 f9 43 9d f7 2$....>......C..
Start Time: 1778927784
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: D10863AF2A8D8B0C79AC5A6A378F5CB580E9245B91FDD44AA5A6EC58BEFB1D4F
Session-ID-ctx:
Resumption PSK:
BA02BFC9B93788E983040C186D9143E4DA92E3072BC1DB4696B70171808C97071F85B54FBB3DB0599FEB9135104940DF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 25 64 3b f4 61 f2 60 fe-ee 4d 63 df 44 35 14 1a %d;.a.`..Mc.D5..
0010 - 1d 7d 49 1d 12 cb a5 ef-cd 7d 1e eb 5e 21 45 57 .}I......}..^!EW
0020 - 29 5c 7d ca ea 15 ee da-70 21 20 f4 b6 2d bc 21 )\}.....p! ..-.!
0030 - 13 21 4a 3d b1 13 e0 b2-87 18 41 e5 50 78 65 00 .!J=......A.Pxe.
0040 - 30 2b f3 43 07 24 61 05-10 0f de 14 d4 73 b5 8f 0+.C.$a......s..
0050 - 22 a4 c4 17 3f b6 8f 60-45 76 8f 4a b5 e9 22 a3 "...?..`Ev.J..".
0060 - 58 54 40 a9 04 17 98 fb-f2 92 d6 a8 fa e5 bc f7 XT@.............
0070 - 89 06 fd 32 ce 14 e9 08-17 06 f3 f1 f2 b4 08 0e ...2............
0080 - e3 c1 c4 5d 7b 73 7f a9-36 bb f4 96 19 ae 8b 17 ...]{s..6.......
0090 - e0 37 21 78 4d c2 06 59-0a ef 7a 5d cc 99 7c 84 .7!xM..Y..z]..|.
00a0 - 9a 9e 26 2a 61 42 94 ce-39 f5 ed 8c 21 3e 0e 47 ..&*aB..9...!>.G
00b0 - 69 5d 96 c8 75 4a 30 87-30 a8 f5 fb dd d6 de ed i]..uJ0.0.......
00c0 - a9 5f 16 5d 70 41 05 93-83 1e 44 26 c3 9f 18 57 ._.]pA....D&...W
Start Time: 1778927784
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
--
Regards,
Mikolaj
