On Wed, Apr 23, 2025 at 8:47 AM George MacKerron <geo...@mackerron.co.uk> wrote: > I’d suggest two new special sslrootcert values: > > (1) sslrootcert=openssl > > This does exactly what sslrootcert=system does now, but is less confusingly > named for Windows users. sslrootcert=system becomes a deprecated synonym for > this option.
Stealing the word "system" from the existing sslrootcert domain had at least two hazards: a) existing users might have a file named "system" that would now be ignored, and b) users might accidentally use sslrootcert=system on older versions of libpq, picking up an unexpected file named "system" and doing the Wrong Thing. Problem (a) can be worked around by saying "./system" instead, so honestly I wasn't too concerned about that, and I considered (b) to be more of a theoretical problem that was outweighed by the benefit of getting OpenSSL to just Do The Thing people wanted it to do. A couple years on, I think (b) is less theoretical than I had originally hoped. As evidence I point to Stack Overflow questions like [1], where both the asker and the answerer are a bit confused about how connection string versioning works. If we steal more words, I think that problem is going to get worse. So I'm leaning toward's Daniel's earlier position that sslrootcert has kind of run its course, and if you want to select OpenSSL stores, we need a more fully featured syntax and probably a completely new option to be able to pass that through safely. > (2) sslrootcert=os > > This does what I was proposing in my patch: it uses winstore on Windows and > behaves the same as sslrootcert=openssl elsewhere, where openssl *is* the > operating system SSL provider. Falling back to standard OpenSSL introduces the same hazard we're running into today, though -- what if someone creates a macstore [2] for OpenSSL, so that its behavior matches Safari's or whatever, and then everyone wonders why sslrootcert=os doesn't use that? If the abstraction must leak the details anyway, I think we should expose them directly instead. (As a small soapbox, I think "application-level" fallback for a trust chain is frequently going to lead to regret. You should ideally tell us what you want, and either get it or fail.) Thanks, --Jacob [1] https://stackoverflow.com/questions/77989772/psql-root-certificate-file-system-does-not-exist-why-sslrootcert-system-do [2] https://github.com/openssl/openssl/issues/23460