On Thu, 2021-01-21 at 20:16 +0000, Jacob Champion wrote: > I think we're missing a counterpart to this piece of the OpenSSL > implementation, in be_tls_init():
Never mind. Using SSL_SetTrustAnchor is something we could potentially do if we wanted to further limit the CAs that are actually sent to the client, but it shouldn't be necessary to get the tests to pass. I now think that it's just a matter of making sure that the "server-cn- only" DB has the root_ca.crt included, so that it can correctly validate the client certificate. Incidentally I think this should also fix the remaining failing SCRAM test. I'll try to get a patch out tomorrow, if adding the root CA doesn't invalidate some other test logic. --Jacob
