From 2ac0d127903baab68f3e9c65df5ca92708b058ec Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 10 Feb 2026 20:36:14 +0100
Subject: [PATCH] MINOR: startup: Add the SSL lib verify directory in haproxy
 -vv

SSL libraries built manually might lack the right
X509_get_default_cert_dir() value.

The common way to fix the problem is to build openssl with
./configure --openssldir=/etc/ssl/

In order to verify this setting, output it with haproxy -vv.
---
 src/ssl_sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3540038a2..7a75d7c5b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8554,6 +8554,7 @@ static void ssl_register_build_options()
 #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
 	memprintf(&ptr, "%s\nSSL library FIPS mode : %s", ptr, FIPS_mode() ? "yes" : "no");
 #endif
+	memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, X509_get_default_cert_dir());
 	memprintf(&ptr, "%s\nSSL library supports :", ptr);
 	for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
 		if (methodVersions[i].option)
-- 
2.47.3