Re: Making sslrootcert=system work on Windows psql
George MacKerron <george@mackerron.co.uk>
From: George MacKerron <george@mackerron.co.uk>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-02T14:15:24Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Clarify the system value for sslrootcert
- dda1b0603523 16.9 landed
- daa16893faa9 18.0 landed
- c88b36d382eb 17.5 landed
> On 2 Apr 2025, at 14:39, George MacKerron <george@mackerron.co.uk> wrote: > But happily, I don’t think we need to choose. Can’t we just use the Windows system store if neither of the relevant environment variables is set? Thinking about this a little more, I guess the remaining concern is about people on Windows compiling their own psql from source, using an OpenSSL build that has a meaningful OPENSSLDIR baked in. I guess that might suggest we should make the "org.openssl.winstore:" code path something users can opt out of (or even, for maximum backwards-compatibility, opt in to) at compile-time. My preference would be for "org.openssl.winstore:" to be the compile-time default, though, because the option is called sslrootcert=system and it’s documented as using “the system’s trusted CA roots” (not sslrootcert=openssldir or documented as using OpenSSL’s default CA roots).