> On 3 Apr 2025, at 14:28, Christoph Berg <m...@debian.org> wrote: > > What are the chances of making "use the system/os default CA store" > the default? "sslmode=require" would then already actually "require" a > certificate if I'm reading the docs right. This would match user > expectation for POLA.
Right: the issue at present is that sslmode=require does require a certificate, but IIRC basically any old certificate will do. It doesn’t need to be signed by any particular CA. It doesn’t even need to have the server’s name on it. > This default could then be pointed at the correct locations (plural) > on all operating systems. (sslrootcert=system:wincert:otherlocation?) > > The "default default" would still be sslmode=prefer so it wouldn't > break today's normal case. Users of sslmode=require will understand > that supplying a CA certificate is no longer optional. > > Perhaps add a sslmode=require-weak could be added as a workaround. I would love it if sslmode=require started verifying against OS cert stores and so became secure against MITM attacks. I’d certainly support that. But I would say that’s a much bigger backwards-incompatible change than the one I was asking for. :) -- George MacKerron