| From: | George MacKerron <george(at)mackerron(dot)co(dot)uk> |
|---|---|
| To: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Making sslrootcert=system work on Windows psql |
| Date: | 2025-04-25 10:20:55 |
| Message-ID: | 1C9354BA-2BAF-465E-9985-5388AA8C5909@mackerron.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On Thu, 24 Apr 2025 at 23:52, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
>
>> How about we add a *compile time*
>> option that allows the person that compiles libpq to choose which cert
>> store it should use if sslrootcert=system is provided. Something like
>> --system-cert-store=openssl and --system-cert-store=winstore flags for
>> ./configure.
>
> @George So basically my suggestion is to make the behaviour that your
> patch introduces configurable at compile time. FWIW my vote would
> probably be to default to --system-cert-store=winstore if it's
> available. And then --system-cert-store=openssl would be a way out for
> people that took the effort to configure openssl correctly on Windows.
👍 I think that’s a pretty nice idea.
On the other hand, what are the specific objections to doing it dynamically, the way my patch does? I think that has backwards-compatibility quite well covered.
Is the main concern that users may be surprised that the behaviour of psql changes if they later set one of the OpenSSL environment variables or put cert files in OPENSSLDIR? I feel like that would be quite rare and also a pretty safe failure mode.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | George MacKerron | 2025-04-25 10:22:06 | Re: Making sslrootcert=system work on Windows psql |
| Previous Message | Alexander Pyhalov | 2025-04-25 09:16:29 | Re: MergeAppend could consider sorting cheapest child path |