Re: Making sslrootcert=system work on Windows psql

George MacKerron <george@mackerron.co.uk>

From: George MacKerron <george@mackerron.co.uk>
To: Christoph Berg <myon@debian.org>
Cc: Daniel Gustafsson <daniel@yesql.se>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-03T13:46:42Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Clarify the system value for sslrootcert

> On 3 Apr 2025, at 14:28, Christoph Berg <myon@debian.org> wrote:
> 
> What are the chances of making "use the system/os default CA store"
> the default? "sslmode=require" would then already actually "require" a
> certificate if I'm reading the docs right. This would match user
> expectation for POLA.

Right: the issue at present is that sslmode=require does require a certificate, but IIRC basically any old certificate will do. It doesn’t need to be signed by any particular CA. It doesn’t even need to have the server’s name on it.


> This default could then be pointed at the correct locations (plural)
> on all operating systems. (sslrootcert=system:wincert:otherlocation?)
> 
> The "default default" would still be sslmode=prefer so it wouldn't
> break today's normal case. Users of sslmode=require will understand
> that supplying a CA certificate is no longer optional.
> 
> Perhaps add a sslmode=require-weak could be added as a workaround.

I would love it if sslmode=require started verifying against OS cert stores and so became secure against MITM attacks. I’d certainly support that. But I would say that’s a much bigger backwards-incompatible change than the one I was asking for. :)

--
George MacKerron