Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Fri, Apr 14, 2023 at 3:36 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> This "error: Success" error has been reported to the list numerous times as
> misleading, and I'd love to make progress on improving error reporting during
> the v17 cycle.

Agreed!

> The attached checks for the specific known error, and leave all the other cases
> to the same logging that we have today.  It relies on the knowledge that system
> sslrootcert configs has deferred loading, and will run with verify-full.  So if
> we see an X509 failure in loading the local issuer cert here then we know the
> the user wanted to use the system CA pool for certificate verification but the
> root CA cannot be loaded for some reason.

This LGTM; I agree with your reasoning. Note that it won't fix the
(completely different) misleading error message for OpenSSL 3.0, but
since that's an *actively* unhelpful error message coming back from
OpenSSL, I don't think we want to override it. For 3.1, we have no
information and we're trying to fill in the gaps.

--Jacob