I noticed the postfix package tests are failing. It seems like it may be because netcat's TLS support is broken: :: [ 22:10:36 ] :: [ BEGIN ] :: Starting netcat :: actually running 'nc -l 1125 -c mockserver.sh &' nc: failed to open CA file '/etc/pki/tls/cert.pem': No such file or directory Tracing this out, netcat does this: Rflag = tls_default_ca_cert_file(); ... if (usetls) { if ((tls_cfg = tls_config_new()) == NULL) errx(1, "unable to allocate TLS config"); if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); See https://github.com/openbsd/src/blob/28304016fe9353c375bc53e9b3d5bb67585d6a2a/usr.bin/nc/netcat.c#L172 and https://github.com/openbsd/src/blob/28304016fe9353c375bc53e9b3d5bb67585d6a2a/usr.bin/nc/netcat.c#L521 . tls_default_ca_cert_file is from libretls, but it's just this: tls_default_ca_cert_file(void) { return X509_get_default_cert_file(); } X509_get_default_cert_file is from OpenSSL, and on Fedora it returns /etc/pki/tls/cert.pem , which doesn't exist. This is because since https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile we intentionally don't *have* a default "cert file" for OpenSSL, we have a default cert *directory*. OpenSSL can work with either, but netcat via libretls is assuming there will always be a cert file.
Is there a specific reason why you use OpenBSD netcat instead of Nmap Ncat? Especially Red Hat favors Nmap Ncat since 10+ years (and refused any nc alternative in RHEL over the same time frame).
No idea. I didn't write the postfix test suite.
FEDORA-2026-f7dee4d8de (netcat-1.237-3.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-f7dee4d8de
I'm not sure that's really a fix? I think it'll just result in there being no trusted certs, so all TLS operations will still fail?
After reading https://git.causal.agency/libretls/about/#Compatibility I think this is a fix. If you still disagree, patch proposals are welcome.
Ah, yeah, if this just puts LibreTLS back to default behaviour and its default is to follow OpenSSL's defaults, that should work indeed. I guess we'll find out next time the postfix test suite runs...
FEDORA-2026-f7dee4d8de has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-f7dee4d8de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-f7dee4d8de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Hmm, looks like now we get: :: [ 20:30:08 ] :: [ BEGIN ] :: Starting netcat :: actually running 'nc -l 1125 -c mockserver.sh &' nc: tls configuration failed (private/public key mismatch) https://artifacts.dev.testing-farm.io/0728b162-650a-4293-a6fd-54f239c99eb9/ not sure if that's a test suite issue or nc issue...
FEDORA-2026-f7dee4d8de (netcat-1.237-3.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.