Postgres Pro
Downloads
Home   >   mailing lists

Re: Making sslrootcert=system work on Windows psql - Mailing list pgsql-hackers

From George MacKerron
Subject Re: Making sslrootcert=system work on Windows psql
Date
Msg-id 9534947B-5E64-4941-AA4A-D5B16DA4577B@mackerron.co.uk
Whole thread Raw
In response to Re: Making sslrootcert=system work on Windows psql  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Making sslrootcert=system work on Windows psql
List pgsql-hackers
Tree view 
Daniel, Jacob: thanks. My feeling is that it would be a bit odd to prioritise the preservation of a secondary behaviour
(userscan customise what cert store is used via environment variables) over fixing the feature’s basic reason for
existing(certificates will be validated against the system CA cert store), even in the name of backward-compatibility. 

But happily, I don’t think we need to choose. Can’t we just use the Windows system store if neither of the relevant
environmentvariables is set? 

I’ve updated my patch to do that. It’s attached, and also still here:
https://github.com/postgres/postgres/compare/master...jawj:postgres:jawj-sslrootcert-system-windows



> On 2 Apr 2025, at 08:32, Daniel Gustafsson <daniel@yesql.se> wrote:
>
>> On 1 Apr 2025, at 23:46, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
>> On Tue, Apr 1, 2025 at 2:05 PM George MacKerron <george@mackerron.co.uk> wrote:
>
>>> I’ve recently been trying to get it more widely supported, with some success (details at end of this message).
>>
>> (Thank you!)
>
> +many
>
>>> I’m not a Windows or OpenSSL expert, but so far the patched code seems to work in theory and in practice (sources
below,and I’ve compiled and tested it working on Windows 11 x64). 
>>
>> While this will get things working -- if you plan to use the Windows
>> store! -- I worry that it's an incompatible change, and anyone who is
>> actually happy with the way things currently work (i.e. not using the
>> EDB installers) will be broken. The meaning of `sslrootcert=system` is
>> "do whatever OpenSSL wants to do by default." That includes
>> modification by the OpenSSL environment variables, which (I think)
>> this patch disables.
>
> Correct, this patch changes from using the defaults (directory, file and store)
> and thus the env variable overrides, to hardcoding the new winstore which came
> in 3.2 as the only option.  While I agree that we probably should allow
> winstore (and other such stores for other platforms when/if they happen) I
> don't think making it the only option is the right way.
>
>> The winstore is new to me. Is there no way to get OpenSSL to switch
>> its default store without code changes?
>
> AFAIK one cannot change the default store in OpenSSL short of recompiling
> OpenSSL.
>
> --
> Daniel Gustafsson
>
Attachment

pgsql-hackers by date:

Previous
From: "Zhijie Hou (Fujitsu)"
Date:
Subject: RE: Fix slot synchronization with two_phase decoding enabled
Next
From: Heikki Linnakangas
Date:
Subject: Re: Make query cancellation keys longer