1:  d19b0bfc95 ! 1:  b01812f604 libpq: add sslrootcert=system to use default CAs
    @@ Commit message
     
         Based on a patch by Thomas Habets.
     
    +    Note the workaround in .cirrus.yml for a strange interaction between
    +    brew and the openssl@3 formula; hopefully this can be removed in the
    +    near future.
    +
         Discussion: https://www.postgresql.org/message-id/flat/CA%2BkHd%2BcJwCUxVb-Gj_0ptr3_KZPwi3%2B67vK6HnLFBK9MzuYrLA%40mail.gmail.com
     
    + ## .cirrus.yml ##
    +@@ .cirrus.yml: task:
    +       make \
    +       meson \
    +       openldap \
    +-      openssl \
    ++      openssl@3 \
    +       python \
    +       tcl-tk \
    +       zstd
    + 
    +     brew cleanup -s # to reduce cache size
    ++
    ++    # brew cleanup removes the empty certs directory in OPENSSLDIR, causing
    ++    # OpenSSL to report unexpected errors ("unregistered scheme") during
    ++    # verification failures. Put it back for now as a workaround.
    ++    #
    ++    #   https://github.com/orgs/Homebrew/discussions/4030
    ++    #
    ++    # Note that $(brew --prefix openssl) will give us the opt/ prefix but not
    ++    # the etc/ prefix, so we hardcode the full path here. openssl@3 is pinned
    ++    # above to try to minimize the chances of this changing beneath us, but it's
    ++    # brittle...
    ++    mkdir -p "/usr/local/etc/openssl@3/certs"
    +   upload_caches: homebrew
    + 
    +   ccache_cache:
    +
      ## configure ##
     @@ configure: $as_echo "$ac_res" >&6; }
      
2:  87a324efcf = 2:  432453942a libpq: force sslmode=verify-full for system CAs