Hi, I manage a bunch of Postgres servers at Oslo University and we use real ssl certs on all our servers.
I was actually really surprised to discover that the libpq default is sslmode=require and that the root cert defaults to a file under the user’s home directory. I have been planning to use our management system (CFEngine) to globally change the client settings to verify-ca and to use the system trust store. So that’s a +1 to use the system cert store for client connections. I also agree that the proposed patch is not the right way to go as it is essentially the same as verify-full, and I think that the correct fix would be to change the default. Thanks C
