Re: Making sslrootcert=system work on Windows psql

George MacKerron <george@mackerron.co.uk>

From: George MacKerron <george@mackerron.co.uk>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-02T14:15:24Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Clarify the system value for sslrootcert

> On 2 Apr 2025, at 14:39, George MacKerron <george@mackerron.co.uk> wrote:
> But happily, I don’t think we need to choose. Can’t we just use the Windows system store if neither of the relevant environment variables is set?


Thinking about this a little more, I guess the remaining concern is about people on Windows compiling their own psql from source, using an OpenSSL build that has a meaningful OPENSSLDIR baked in.

I guess that might suggest we should make the "org.openssl.winstore:" code path something users can opt out of (or even, for maximum backwards-compatibility, opt in to) at compile-time.

My preference would be for "org.openssl.winstore:" to be the compile-time default, though, because the option is called sslrootcert=system and it’s documented as using “the system’s trusted CA roots” (not sslrootcert=openssldir or documented as using OpenSSL’s default CA roots).