Re: Making sslrootcert=system work on Windows psql
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: George MacKerron <george@mackerron.co.uk>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-25T14:04:29Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Clarify the system value for sslrootcert
- dda1b0603523 16.9 landed
- daa16893faa9 18.0 landed
- c88b36d382eb 17.5 landed
> On 25 Apr 2025, at 15:40, George MacKerron <george@mackerron.co.uk> wrote: > >> On 25 Apr 2025, at 13:53, Daniel Gustafsson <daniel@yesql.se> wrote: >>> >>>> (2) sslrootcert=system on Windows doesn’t do a thing that would be extremely useful in some common situations. Namely: connecting securely to servers that present a certificate signed by a public CA. >>> >>> Just to be clear, does (2) happens when the OpenSSL installation has a bogus >>> OPENSSLDIR value, or does it happen regardless? >> >> I would still like to get clarity on this, do you have any insights here? > > I can tell you what happens on my Windows 11 system with Postgres 17 via the EDB installer, which has a non-bogus OPENSSLDIR. Thanks for confirming. > OpenSSL appears to have been built with OPENSSLDIR="C:\Program Files\Common Files\SSL". > > This is a valid path, the directory exists, and it contains a few *.cnf files. I’m pretty sure the EDB installer created.. It did, CVE-2019-10211 has more details. > ..and populated this directory. The contents most likely come from building OpenSSL, by the sounds of it that's the stock OPENSSLDIR setup. -- Daniel Gustafsson