The documentation for the special value "system" for sslrootcert could
be misinterpreted to mean the default operating system CA store, which
it may be, but it's defined to be the default CA store of the SSL lib
used.
Backpatch down to v16 where support for the system value was added.
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: George MacKerron <george@mackerron.co.uk>
Discussion: https://postgr.es/m/
B3CBBAA3-6EA3-4AB7-8619-
4BBFAB93DDB4@yesql.se
Backpatch-through: 16
</para>
<para>
The special value <literal>system</literal> may be specified instead, in
- which case the system's trusted CA roots will be loaded. The exact
+ which case the trusted CA roots from the SSL implementation will be loaded. The exact
locations of these root certificates differ by SSL implementation and
platform. For <productname>OpenSSL</productname> in particular, the
locations may be further modified by the <envar>SSL_CERT_DIR</envar>
<literal>sslmode=verify-ca</literal> or
<literal>verify-full</literal> and have the appropriate root certificate
file installed (<xref linkend="libq-ssl-certificates"/>). Alternatively the
- system CA pool can be used using <literal>sslrootcert=system</literal>; in
+ <link linkend="libpq-connect-sslrootcert">system CA pool</link>, as defined
+ by the SSL implementation, can be used using <literal>sslrootcert=system</literal>; in
this case, <literal>sslmode=verify-full</literal> is forced for safety, since
it is generally trivial to obtain certificates which are signed by a public
CA.
projects / thirdparty / postgresql.git / commitdiff
