On Fri, Apr 14, 2023 at 3:36 PM Daniel Gustafsson <dan...@yesql.se> wrote: > This "error: Success" error has been reported to the list numerous times as > misleading, and I'd love to make progress on improving error reporting during > the v17 cycle.
Agreed! > The attached checks for the specific known error, and leave all the other > cases > to the same logging that we have today. It relies on the knowledge that > system > sslrootcert configs has deferred loading, and will run with verify-full. So > if > we see an X509 failure in loading the local issuer cert here then we know the > the user wanted to use the system CA pool for certificate verification but the > root CA cannot be loaded for some reason. This LGTM; I agree with your reasoning. Note that it won't fix the (completely different) misleading error message for OpenSSL 3.0, but since that's an *actively* unhelpful error message coming back from OpenSSL, I don't think we want to override it. For 3.1, we have no information and we're trying to fill in the gaps. --Jacob
