> On 25 Apr 2025, at 15:40, George MacKerron <geo...@mackerron.co.uk> wrote: > >> On 25 Apr 2025, at 13:53, Daniel Gustafsson <dan...@yesql.se> wrote: >>> >>>> (2) sslrootcert=system on Windows doesn’t do a thing that would be >>>> extremely useful in some common situations. Namely: connecting securely to >>>> servers that present a certificate signed by a public CA. >>> >>> Just to be clear, does (2) happens when the OpenSSL installation has a bogus >>> OPENSSLDIR value, or does it happen regardless? >> >> I would still like to get clarity on this, do you have any insights here? > > I can tell you what happens on my Windows 11 system with Postgres 17 via the > EDB installer, which has a non-bogus OPENSSLDIR.
Thanks for confirming. > OpenSSL appears to have been built with OPENSSLDIR="C:\Program Files\Common > Files\SSL". > > This is a valid path, the directory exists, and it contains a few *.cnf > files. I’m pretty sure the EDB installer created.. It did, CVE-2019-10211 has more details. > ..and populated this directory. The contents most likely come from building OpenSSL, by the sounds of it that's the stock OPENSSLDIR setup. -- Daniel Gustafsson
