On Sun, Apr 2, 2023 at 1:36 PM Daniel Gustafsson <dan...@yesql.se> wrote: > > On 31 Mar 2023, at 19:59, Jacob Champion <jchamp...@timescale.com> wrote: > > I can make that change; note that it'll also skip some of the new tests > > with OpenSSL 1.0.1, where there's no SSL_CTX_set_cert_cb. If that's > > acceptable, it should be an easy switch. > > I'm not sure I follow, AFAICT it's present all the way till 3.1 at least? > What > am I missing?
I don't see it anywhere in my 1.0.1 setup, and Meson doesn't define HAVE_SSL_CTX_SET_CERT_CB when built against it. > > Is there something we could document that's more helpful than "make sure > > your installation isn't broken"? > > I wonder if there is an openssl command line example for verifying defaults > that we can document and refer to? We could maybe have them connect to a known host: $ echo Q | openssl s_client -connect postgresql.org:443 -verify_return_error Alternatively, OpenSSL will show you the OPENSSLDIR: $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" and then we could tell users to ensure they have a populated certs/ directory or a cert.pem file underneath it. That'll be prone to rot, though (e.g. OpenSSL 3 introduces the default store in addition to the default file+directory). Thanks, --Jacob