On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote: > Having sslrootcert use the system trust store if > ~/.postgresql/root.crt doesn’t exist would seem like a good change.
Fallback behavior can almost always be exploited given the right circumstances. IMO, if I've told psql to use a root cert, it really needs to do that and not trust anything else. > Changing sslmode to default to something else would mostly likely > break a ton of existing installations, and there are plenty of use > cases were ssl isn’t used. Trying ssl first and without afterwards > probably is still a sensible default. However… The discussion on changing the sslmode default behavior seems like it can be separated from the use of system certificates. Not to shut down that branch of the conversation, but is there enough tentative support for an "sslrootcert=system" option to move forward with that, while also discussing potential changes to the sslmode defaults? The NSS patchset [1] also deals with this problem. FWIW, it currently treats an empty ssldatabase setting as "use the system's (Mozilla's) trusted roots". --Jacob [1] https://www.postgresql.org/message-id/flat/fab21fc8-0f62-434f-aa78-6bd9336d6...@yesql.se
