On Wed, Apr 23, 2025 at 8:47 AM George MacKerron <george@mackerron.co.uk> wrote:
> I’d suggest two new special sslrootcert values:
>
> (1) sslrootcert=openssl
>
> This does exactly what sslrootcert=system does now, but is less confusingly named for Windows users.
sslrootcert=systembecomes a deprecated synonym for this option.
Stealing the word "system" from the existing sslrootcert domain had at
least two hazards: a) existing users might have a file named "system"
that would now be ignored, and b) users might accidentally use
sslrootcert=system on older versions of libpq, picking up an
unexpected file named "system" and doing the Wrong Thing. Problem (a)
can be worked around by saying "./system" instead, so honestly I
wasn't too concerned about that, and I considered (b) to be more of a
theoretical problem that was outweighed by the benefit of getting
OpenSSL to just Do The Thing people wanted it to do.
A couple years on, I think (b) is less theoretical than I had
originally hoped. As evidence I point to Stack Overflow questions like
[1], where both the asker and the answerer are a bit confused about
how connection string versioning works. If we steal more words, I
think that problem is going to get worse. So I'm leaning toward's
Daniel's earlier position that sslrootcert has kind of run its course,
and if you want to select OpenSSL stores, we need a more fully
featured syntax and probably a completely new option to be able to
pass that through safely.
> (2) sslrootcert=os
>
> This does what I was proposing in my patch: it uses winstore on Windows and behaves the same as sslrootcert=openssl
elsewhere,where openssl *is* the operating system SSL provider.
Falling back to standard OpenSSL introduces the same hazard we're
running into today, though -- what if someone creates a macstore [2]
for OpenSSL, so that its behavior matches Safari's or whatever, and
then everyone wonders why sslrootcert=os doesn't use that? If the
abstraction must leak the details anyway, I think we should expose
them directly instead.
(As a small soapbox, I think "application-level" fallback for a trust
chain is frequently going to lead to regret. You should ideally tell
us what you want, and either get it or fail.)
Thanks,
--Jacob
[1]
https://stackoverflow.com/questions/77989772/psql-root-certificate-file-system-does-not-exist-why-sslrootcert-system-do
[2] https://github.com/openssl/openssl/issues/23460
