> On 29 Apr 2024, at 21:06, Heikki Linnakangas <hlinn...@iki.fi> wrote:
> Oh I was not aware sslrootcert=system works like that. That's a bit > surprising, none of the other ssl-related settings imply or require that SSL > is actually used. Did we intend to set a precedence for new settings with > that? It was very much intentional, and documented, an sslmode other than verify-full makes little sense when combined with sslrootcert=system. It wasn't intended to set a precedence (though there is probably a fair bit of things we can do, getting this right is hard enough as it is), rather it was footgun prevention. -- Daniel Gustafsson