Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On 12.04.23 22:52, Jacob Champion wrote:
> It surprises me that you can get a successful test with a missing
> certs directory. If I remove the workaround in Cirrus, I get the
> following error, which looks the same to me:
> 
>      [20:40:00.253](0.000s) not ok 121 - sslrootcert=system does not
> connect with private CA: matches
>      [20:40:00.253](0.000s) #   Failed test 'sslrootcert=system does
> not connect with private CA: matches'
>      #   at /Users/admin/pgsql/src/test/ssl/t/001_ssltests.pl line 479.
>      [20:40:00.253](0.000s) #                   'psql: error:
> connection to server at "127.0.0.1", port 57681 failed: SSL SYSCALL
> error: Undefined error: 0'
>      #     doesn't match '(?^:SSL error: certificate verify failed)'
> 
> (That broken error message has changed since 3.0; now it's busted in a
> new way as of 3.1, I guess.)
> 
> Does the test start passing if you create an empty certs directory? It
> still wouldn't explain why Daniel's setup is succeeding...

After

mkdir /usr/local/etc/openssl@3/certs

the tests pass!