On Wed, Apr 2, 2025 at 7:15 AM George MacKerron <george@mackerron.co.uk> wrote:
> > But happily, I don’t think we need to choose. Can’t we just use the Windows system store if neither of the relevant
environmentvariables is set?
>
> Thinking about this a little more, I guess the remaining concern is about people on Windows compiling their own psql
fromsource, using an OpenSSL build that has a meaningful OPENSSLDIR baked in.
Right. In a past life I shipped client stacks on Windows that looked
kind of like that; I would have been less than happy if a client
suddenly stopped using the certificate bundle I'd set up.
> My preference would be for "org.openssl.winstore:" to be the compile-time default, though, because the option is
calledsslrootcert=system and it’s documented as using “the system’s trusted CA roots” (not sslrootcert=openssldir or
documentedas using OpenSSL’s default CA roots).
If we'd decided to do that from the beginning, maybe... but it looks
like the winstore URI wasn't released yet when we designed that, so
"the system" couldn't have meant anything except for OpenSSL. Maybe
the documentation needs to be more specific now that OpenSSL is
supporting more stuff.
Even if we want to change that definition sometime in the future, we'd
still have to wait at least until OpenSSL 3.1 was no longer supported;
I don't think it would be very helpful for our definition of "system"
to change abruptly when upgrading OpenSSL past the 3.2 boundary. All
this to say, I'd like to support the winstore, but I'm not convinced
it should take over the existing meaning of "system". Even just adding
it as a fallback has some risk to any packagers who have gotten it
working.
On Wed, Apr 2, 2025 at 12:33 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> AFAIK one cannot change the default store in OpenSSL short of recompiling
> OpenSSL.
I had hoped that a `system_default` entry in openssl.cnf would be able
to override it, but no luck -- VerifyCAStore is explicitly forbidden
in the default section :(
Thanks,
--Jacob
