Re: Making sslrootcert=system work on Windows psql
Christoph Berg <myon@debian.org>
From: Christoph Berg <myon@debian.org>
To: George MacKerron <george@mackerron.co.uk>
Cc: Daniel Gustafsson <daniel@yesql.se>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-03T13:28:12Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Clarify the system value for sslrootcert
- dda1b0603523 16.9 landed
- daa16893faa9 18.0 landed
- c88b36d382eb 17.5 landed
Re: George MacKerron > (3) Any other ideas? I'm not a fan of "security by adding more connection parameters". What are the chances of making "use the system/os default CA store" the default? "sslmode=require" would then already actually "require" a certificate if I'm reading the docs right. This would match user expectation for POLA. This default could then be pointed at the correct locations (plural) on all operating systems. (sslrootcert=system:wincert:otherlocation?) The "default default" would still be sslmode=prefer so it wouldn't break today's normal case. Users of sslmode=require will understand that supplying a CA certificate is no longer optional. Perhaps add a sslmode=require-weak could be added as a workaround. Christoph