diff --git a/projects/openssl.org/package.yml b/projects/openssl.org/package.yml
index cd90c1f0..a7d74b98 100644
--- a/projects/openssl.org/package.yml
+++ b/projects/openssl.org/package.yml
@@ -21,37 +21,43 @@ build:
     tea.xyz/gx/cc: c99
     tea.xyz/gx/make: '*'
     perl.org: 5
-    curl.se: '*'  # to download ca-certs on linux
-    git-scm.org: 2
+    curl.se: '*'    # to download ca-certs on linux
+    git-scm.org: 2  # to apply our patch
   script: |
-    if {{ hw.platform }} = linux; then
-      git apply {{ pkg.pantry-prefix }}/x509_def.c.diff
-    fi
+    git apply "{{ pkg.pantry-prefix }}"/x509_def.c.diff
 
-    ./Configure --prefix={{ prefix }} $ARCH no-tests $ARGS
+    ./Configure --prefix={{ prefix }} $ARCH no-tests $ARGS --openssldir={{prefix}}/ssl
     make --jobs {{ hw.concurrency }}
-    make install_sw  # `_sw` avoids installing docs
+    make install_sw   # `_sw` avoids installing docs
 
-    if test {{hw.platform}} = linux; then
-      #FIXME needs to be a curl.se/ca-certs that gets updates
-      mkdir -p "{{prefix}}/ssl"
-      curl -k https://curl.se/ca/cacert-2022-07-19.pem -o "{{prefix}}/ssl"/cert.pem
-    fi
+    #FIXME needs to be a curl.se/ca-certs that gets updates
+    #FIXME on macOS use /etc/ssl/cert.pem (I couldn't make this work)
+    #FIXME or on macOS get certs from the keychain
+    cd "{{prefix}}"
+    mkdir -p ssl
+    curl -k https://curl.se/ca/cacert-2022-07-19.pem -o ssl/cert.pem
   env:
     darwin/aarch64: {ARCH: 'darwin64-arm64-cc'}
     darwin/x86-64:  {ARCH: 'darwin64-x86_64-cc'}
     linux/aarch64:  {ARCH: 'linux-aarch64'}
     linux/x86-64:   {ARCH: 'linux-x86_64'}
     darwin:
-      ARGS: --openssldir=/etc/ssl
+      # supposedly enables important optimizations
+      ARGS: enable-ec_nistp_64_gcc_128
+  test:
+    make test
 
 #TODO need to test the SSL certs work
 # otherwise we are basically relying on wget etc. to test for it
 
 test:
+  dependencies:
+    gnu.org/wget: '*'
   script: |
     echo "This is a test file" > in
     openssl dgst -sha256 -out out ./in
     test "$(cat ./out)" = "$SAMPLE"
+
+    wget tea.xyz  # test the certs work
   env:
     SAMPLE: SHA256(./in)= c87e2ca771bab6024c269b933389d2a92d4941c848c52f155b9b84e1f109fe35
diff --git a/projects/openssl.org/x509_def.c.diff b/projects/openssl.org/x509_def.c.diff
index 4600ca51..0d35223f 100644
--- a/projects/openssl.org/x509_def.c.diff
+++ b/projects/openssl.org/x509_def.c.diff
@@ -1,32 +1,37 @@
 diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
-index bfa8d7d..7e83bae 100644
+index bfa8d7d..da3c743 100644
 --- a/crypto/x509/x509_def.c
 +++ b/crypto/x509/x509_def.c
-@@ -11,25 +11,48 @@
+@@ -11,25 +11,53 @@
  #include "internal/cryptlib.h"
  #include <openssl/crypto.h>
  #include <openssl/x509.h>
-+#include <dlfcn.h>
-+#include <libgen.h>
++#include <libgen.h>   /* dirname */
++
++#ifdef __linux__
++#define __USE_GNU
++#endif
++#include <dlfcn.h>    /* dladdr */
 +
 +const char *relocat0r(const char *suffix) {
-+    Dl_info info;
-+    if (dladdr(relocat0r, &info)) {
-+        const char *prefix = dirname(info.dli_fname);
-+        char *dir = malloc(strlen(prefix) + strlen(suffix) + 2);
-+        if (dir == NULL) { return NULL; }
-+        sprintf(dir, "%s/%s", prefix, suffix);
-+        return dir;
++    static const char *prefix = NULL;
++    if (!prefix) {
++      // repeated calls to dladdr seem to return different values on Linux ¯\_(ツ)_/¯
++      Dl_info info;
++      if (!dladdr(relocat0r, &info)) { return NULL; }
++      prefix = dirname(info.dli_fname);
 +    }
-+    return NULL;
++    char *dir = malloc(strlen(prefix) + 4 + strlen(suffix) + 2);
++    if (!dir) { return NULL; }
++    sprintf(dir, "%s/../%s", prefix, suffix);
++    return dir;
 +}
-+
 
  const char *X509_get_default_private_dir(void)
  {
 -    return X509_PRIVATE_DIR;
 +    static const char *dir = NULL;
-+    if (!dir) dir = relocat0r("private");
++    if (!dir) dir = relocat0r("ssl/private");
 +    return dir ?: X509_PRIVATE_DIR;
  }
 
@@ -42,7 +47,7 @@ index bfa8d7d..7e83bae 100644
  {
 -    return X509_CERT_DIR;
 +    static const char *dir = NULL;
-+    if (!dir) dir = relocat0r("certs");
++    if (!dir) dir = relocat0r("ssl/certs");
 +    return dir ?: X509_CERT_DIR;
  }
 
@@ -50,7 +55,7 @@ index bfa8d7d..7e83bae 100644
  {
 -    return X509_CERT_FILE;
 +    static const char *dir = NULL;
-+    if (!dir) dir = relocat0r("cert.pem");
++    if (!dir) dir = relocat0r("ssl/cert.pem");
 +    return dir ?: X509_CERT_FILE;
  }
 
diff --git a/scripts/test-all.ts b/scripts/test-all.ts
new file mode 100755
index 00000000..a6e200e4
--- /dev/null
+++ b/scripts/test-all.ts
@@ -0,0 +1,28 @@
+#!/usr/bin/env -S tea -E
+
+/*---
+args:
+  - deno
+  - run
+  - --allow-run
+  - --allow-read
+  - --allow-env
+  - --import-map={{ srcroot }}/import-map.json
+---*/
+
+import { Path } from "types"
+import { ls } from "./ls.ts"
+
+const cwd = new Path(new URL(import.meta.url).pathname).parent().string
+
+for await (const { project } of ls()) {
+  const proc = Deno.run({
+    stdout: "null", stderr: "null",
+    cmd: ["./test.ts", project],
+    cwd
+  })
+  const status = await proc.status()
+  if (status.code !== 0) {
+    console.error(`test failed: ${project}`)
+  }
+}