<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <pre>Package: openssl
  Version: 3.0.11-1~deb12u2


  When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636`


root@nsd-sdproxy1:~# cat /etc/debian_version 
12.5
root@nsd-sdproxy1:~# 

root@nsd-sdproxy1:~# uname -a
Linux nsd-sdproxy1 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
root@nsd-sdproxy1:~# 


I have the latest patches installed.


Telnet works 

root@nsd-sdproxy1:~# telnet  192.168.92.95 636
Trying 192.168.92.95...
Connected to nsd-ad.
Escape character is '^]'.


from latest rocky linux it is ok

[bogucki@nsd-ansible ~]$ /usr/bin/openssl  s_client -connect 192.168.92.95:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = dc1.dev.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dc1.dev.it
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dc1.dev.it
verify return:1
---
Certificate chain
 0 s:CN = dc1.dev.it
   i:DC = it, DC = dev, CN = dev-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgITHQAAAAIpIoHQZ/LB4AAAAAAAAjANBgkqhkiG9w0BAQUF
ADA+MRIwEAYKCZImiZPyLGQBGRYCaXQxEzARBgoJkiaJk/IsZAEZFgNkZXYxEzAR
BgNVBAMTCmRldi1EQzEtQ0EwHhcNMjMxMjIwMjIzNDUyWhcNMjQxMjE5MjIzNDUy
WjAVMRMwEQYDVQQDEwpkYzEuZGV2Lml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAuNy00MrsJl16YwJ7aBq3qKQkGKiWwIpJPIhnSxs+oSWHyXnPzElh
3YybHYSFmVhCioqgv9AacMEQUfgzanURMdDRetOMfnYD0TyfMM9FHcV+U3QR7XRc
gd9V+7V04Pp/tJzfatOljiZ32OIf+RpuOOzaAs7K2sPu7C9asoJvT292SWl6A+D/
I6y2ugaKpLfqQaJ3DD11u+Zyfsg+ynAvWrxOhWG1+ImHQShDuhzDZFaVnypw0HvA
Exm57lIsLGSYpecPCxN1x4dKQ0FgKfruH6S/IuAdY49WOjB8qDEg5dQFr85zYbZd
MyKqUN5e82v2Dy9cM/WBWC+M8DVsf75dQwIDAQABo4IC0jCCAs4wLwYJKwYBBAGC
NxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcN
AQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUr
DgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUfBtL8l6VeeYQ7A98ffO89tTy72Iw
HwYDVR0jBBgwFoAU1YtlfOHW2JxHTtoslbmjPW0fmlUwgb8GA1UdHwSBtzCBtDCB
saCBrqCBq4aBqGxkYXA6Ly8vQ049ZGV2LURDMS1DQSxDTj1kYzEsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9ZGV2LERDPWl0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBtwYIKwYBBQUHAQEE
gaowgacwgaQGCCsGAQUFBzAChoGXbGRhcDovLy9DTj1kZXYtREMxLUNBLENOPUFJ
QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPWRldixEQz1pdD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA2BgNVHREELzAtoB8GCSsGAQQB
gjcZAaASBBDswipFcEo8QJ4wa+MD1ObxggpkYzEuZGV2Lml0MA0GCSqGSIb3DQEB
BQUAA4IBAQAsfoVcCK8W+IF2S70g96BNolfDj2fUJXDYU+T1cDMEo0nMT/Bmczj1
zI/leMKbHwJJIgZF6XDtZadv+AJtkjA9TBlvgJsLDVoD+Zr3u9tZ2uWbkPkvBEP2
4WD6ioij6w/WJZ4/ZLk654mPN4e59cd2QdaPlFJzXMmF04qBkAio7/OV/eStJA+m
NRj1c/7FvKMssMp8P++AG6bENRFEz8Syu4Bjhma69PR0c+1ElLwc/uZgaROSTvf5
6ZYoKvniP0B+r+tnHjuF1H72eDJV9TjL4/I00M+Qt1nsoms06A/GwrUfk6+gGsge
WN7jgiktT3hZ/xexMOFSWaWUK5/vc6Cp
-----END CERTIFICATE-----
subject=CN = dc1.dev.it

issuer=DC = it, DC = dev, CN = dev-DC1-CA

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2020 bytes and written 467 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 281C000089A8FE3766C77054BA467FB88A4AFE62F9B52D478E6840B5B29F2787
    Session-ID-ctx: 
    Master-Key: 2A4EBD468A173EA25C9217F586BE7D91206D0D367D75F44118205118DEE042B5B804292F3FEFD020A19EC6034F86B19C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1709547310
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---




-- 
Pozdrawiam serdecznie
Maciej Bogucki</pre>
  </body>
</html>