Re: Making sslrootcert=system work on Windows psql

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: George MacKerron <george@mackerron.co.uk>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-25T14:04:29Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Clarify the system value for sslrootcert

> On 25 Apr 2025, at 15:40, George MacKerron <george@mackerron.co.uk> wrote:
> 
>> On 25 Apr 2025, at 13:53, Daniel Gustafsson <daniel@yesql.se> wrote:
>>> 
>>>> (2) sslrootcert=system on Windows doesn’t do a thing that would be extremely useful in some common situations. Namely: connecting securely to servers that present a certificate signed by a public CA.
>>> 
>>> Just to be clear, does (2) happens when the OpenSSL installation has a bogus
>>> OPENSSLDIR value, or does it happen regardless?
>> 
>> I would still like to get clarity on this, do you have any insights here?
> 
> I can tell you what happens on my Windows 11 system with Postgres 17 via the EDB installer, which has a non-bogus OPENSSLDIR.

Thanks for confirming.

> OpenSSL appears to have been built with OPENSSLDIR="C:\Program Files\Common Files\SSL".
> 
> This is a valid path, the directory exists, and it contains a few *.cnf files. I’m pretty sure the EDB installer created..

It did, CVE-2019-10211 has more details.

> ..and populated this directory.

The contents most likely come from building OpenSSL, by the sounds of it that's
the stock OPENSSLDIR setup.

--
Daniel Gustafsson