| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | George MacKerron <george(at)mackerron(dot)co(dot)uk> |
| Cc: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Making sslrootcert=system work on Windows psql |
| Date: | 2025-04-25 14:04:29 |
| Message-ID: | AA259633-BFF0-4C23-AEF6-E75EAC996BB2@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 25 Apr 2025, at 15:40, George MacKerron <george(at)mackerron(dot)co(dot)uk> wrote:
>
>> On 25 Apr 2025, at 13:53, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>>>
>>>> (2) sslrootcert=system on Windows doesn’t do a thing that would be extremely useful in some common situations. Namely: connecting securely to servers that present a certificate signed by a public CA.
>>>
>>> Just to be clear, does (2) happens when the OpenSSL installation has a bogus
>>> OPENSSLDIR value, or does it happen regardless?
>>
>> I would still like to get clarity on this, do you have any insights here?
>
> I can tell you what happens on my Windows 11 system with Postgres 17 via the EDB installer, which has a non-bogus OPENSSLDIR.
Thanks for confirming.
> OpenSSL appears to have been built with OPENSSLDIR="C:\Program Files\Common Files\SSL".
>
> This is a valid path, the directory exists, and it contains a few *.cnf files. I’m pretty sure the EDB installer created..
It did, CVE-2019-10211 has more details.
> ..and populated this directory.
The contents most likely come from building OpenSSL, by the sounds of it that's
the stock OPENSSLDIR setup.
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2025-04-25 14:15:55 | Re: Allow io_combine_limit up to 1MB |
| Previous Message | Junwang Zhao | 2025-04-25 14:02:49 | Introduce some randomness to autovacuum |