untrusted comment: verify with openbsd-67-base.pub RWRmkIA877Io3t3C9zPg6TJv4WdWT7Fcn1ZJOpVtHz1rozkORegnJLSrpeqeJM2xzSvOUXEEbBGGLbRKocaXRLrybs/fRsZkTQA= OpenBSD 6.7 errata 020, August 18, 2020: The previous errata patch 019 broke bidirectional SSL_shutdown. Apply by doing: signify -Vep /etc/signify/openbsd-67-base.pub -x 020_libssl.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install libssl and unwind: cd /usr/src/lib/libssl make obj make make install cd /usr/src/sbin/unwind make obj make make install Index: lib/libssl/tls13_legacy.c =================================================================== RCS file: /cvs/src/lib/libssl/tls13_legacy.c,v retrieving revision 1.3.4.2 diff -u -p -r1.3.4.2 tls13_legacy.c --- lib/libssl/tls13_legacy.c 10 Aug 2020 18:59:47 -0000 1.3.4.2 +++ lib/libssl/tls13_legacy.c 12 Aug 2020 18:46:12 -0000 @@ -497,6 +497,7 @@ tls13_legacy_shutdown(SSL *ssl) if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS) return tls13_legacy_return_code(ssl, ret); + ctx->close_notify_sent = 1; } else if (!ctx->close_notify_recv) { /* * If there is no application data pending, attempt to read more