Unlike firefox, chromium, and openssl s_client, these command line tools fail to connect (openbsd-amd64-current):
% curl --verbose https://oleg.fi/gentle-introduction-2020.11.tar.gz * Trying 91.232.156.79:443... * Connected to oleg.fi (91.232.156.79) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. % wget https://oleg.fi/gentle-introduction-2020.11.tar.gz --2020-12-21 14:31:08-- https://oleg.fi/gentle-introduction-2020.11.tar.gz Resolving oleg.fi (oleg.fi)... 91.232.156.79, 91.232.156.80 Connecting to oleg.fi (oleg.fi)|91.232.156.79|:443... connected. ERROR: cannot verify oleg.fi's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to oleg.fi insecurely, use `--no-check-certificate'. % ldd /usr/local/bin/wget /usr/local/bin/wget: Start End Type Open Ref GrpRef Name 0000028245752000 00000282457ef000 exe 1 0 0 /usr/local/bin/wget 000002845a4aa000 000002845a5ac000 rlib 0 5 0 /usr/local/lib/libiconv.so.7.0 00000284a6a85000 00000284a6a94000 rlib 0 2 0 /usr/local/lib/libintl.so.7.0 0000028476e8b000 0000028477038000 rlib 0 3 0 /usr/local/lib/libunistring.so.0.1 00000284cea20000 00000284cea7b000 rlib 0 1 0 /usr/local/lib/libpcre2-8.so.0.6 00000284ca5f0000 00000284ca644000 rlib 0 2 0 /usr/local/lib/libidn2.so.1.1 000002844acfc000 000002844ad67000 rlib 0 1 0 /usr/lib/libssl.so.48.1 00000284d4b06000 00000284d4d40000 rlib 0 2 0 /usr/lib/libcrypto.so.46.1 0000028498635000 0000028498651000 rlib 0 1 0 /usr/lib/libz.so.5.0 000002848afdb000 000002848afee000 rlib 0 1 0 /usr/local/lib/libpsl.so.1.2 00000284c60f8000 00000284c61ed000 rlib 0 1 0 /usr/lib/libc.so.96.0 0000028452c0b000 0000028452c0b000 ld.so 0 1 0 /usr/libexec/ld.so % ldd /usr/local/bin/curl /usr/local/bin/curl: Start End Type Open Ref GrpRef Name 000009d2abca1000 000009d2abce2000 exe 2 0 0 /usr/local/bin/curl 000009d5a14d1000 000009d5a1567000 rlib 0 1 0 /usr/local/lib/libcurl.so.26.7 000009d4ff540000 000009d4ff574000 rlib 0 2 0 /usr/local/lib/libnghttp2.so.0.17 000009d58f833000 000009d58f89e000 rlib 0 2 0 /usr/lib/libssl.so.48.1 000009d538cb7000 000009d538ef1000 rlib 0 3 0 /usr/lib/libcrypto.so.46.1 000009d4ec321000 000009d4ec33d000 rlib 0 2 0 /usr/lib/libz.so.5.0 000009d4b462c000 000009d4b4638000 rlib 0 2 0 /usr/lib/libpthread.so.26.1 000009d536ee5000 000009d536fda000 rlib 0 1 0 /usr/lib/libc.so.96.0 000009d519c60000 000009d519c60000 ld.so 0 1 0 /usr/libexec/ld.so % openssl s_client -connect oleg.fi:443 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.kapsi.fi verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.kapsi.fi verify return:1 write W BLOCK --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.kapsi.fi i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFRjCCBC6gAwIBAgIRAMbBoUVRp4Uh1Kuwos+EGm4wDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTgwMTAxMDAwMDAwWhcNMjEwMTE4MjM1OTU5WjBXMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp bGRjYXJkMRMwEQYDVQQDDAoqLmthcHNpLmZpMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAtKQ0kq9GhS//uhvOlIQ278aXq+35KjjVAvcrsv2BfIk8Bi85 1QHfaKyUm2H/SN8eYqpgiNP7QmGsN3jvJ7Aljrqj+j7wfVbmM1KuhBoV0syzAPjI zLPdu7mzYaeg80MVDMTRhYOZxzuoR9/yhNa7xCQpMr/cXhqITDSWID0iBwLHEo/8 /ESKNxSjrCd2LgakJL+x1J3OCAiN7ejAnPKu3nbZJp81QIpHZfnazy9aQnTxMwp8 kd7ha8q6GHlR/4ehXQiKzrOefHbuuCHnkgKhz2yS3cVHKMF+vSxGKHL3LVtykEIJ CgUJJmtKSeF8EUBqstYCEg+6glDc4Wy+kXZ2swIDAQABo4IB0TCCAc0wHwYDVR0j BBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFDmiOzbxEjFHXFvp 1D2FcHFNynt5MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIH MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG BmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGF BggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2Eu Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQw JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAfBgNVHREEGDAW ggoqLmthcHNpLmZpgghrYXBzaS5maTANBgkqhkiG9w0BAQsFAAOCAQEAVKiU1adA Bf+gW2WqpRRDTWzSKTOoJGPvguqinQg9Lm/+nUbPFxXmWhb3hYXkSKzLpChBwGVp Cw3vYx0bngloKAgPwg7XnqIjs3vN/u4plyeIegK3JCLtK5POBu7NwlDCHau4Knen 3OzTyG7D05EtBMca33O5eXye8hDro5WF45v9FhleWZzaCagEnECOLoxpj1DPJ5zw uTUic1Li6tsykrEm0bliIHzjrQm8iaZHOSPOEcElAVztu7tpdqRhrn2U4nm51DMe ixFPPBe/9Lvn/6O04OauRd5SCRlJmiBvoG4WykzBwbqUvT861Hd12wiwLBGOtTrd jYQJtAeD+YvpXQ== -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.kapsi.fi issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3412 bytes and written 413 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: DE402639CA2F6A30E8F761122BE169A968092D757F5421C7928C5063D8BCE492 Session-ID-ctx: Master-Key: A4F548BFC44D57206750B7582E31B41B8028D4DCB7929CBB169D9738F88AA7014E0690CB5B6F31AF470714FF9BF8C139 Start Time: 1608590243 Timeout : 7200 (sec) Verify return code: 0 (ok) ---