From c88b36d382ebb7925db9f713dcf5ad8ca1bbae71 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 4 Apr 2025 09:47:36 +0200 Subject: [PATCH] doc: Clarify the system value for sslrootcert The documentation for the special value "system" for sslrootcert could be misinterpreted to mean the default operating system CA store, which it may be, but it's defined to be the default CA store of the SSL lib used. Backpatch down to v16 where support for the system value was added. Author: Daniel Gustafsson Reviewed-by: George MacKerron Discussion: https://postgr.es/m/B3CBBAA3-6EA3-4AB7-8619-4BBFAB93DDB4@yesql.se Backpatch-through: 16 --- doc/src/sgml/libpq.sgml | 2 +- doc/src/sgml/runtime.sgml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index e3b74af96a6..789a6ec2486 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1999,7 +1999,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname The special value system may be specified instead, in - which case the system's trusted CA roots will be loaded. The exact + which case the trusted CA roots from the SSL implementation will be loaded. The exact locations of these root certificates differ by SSL implementation and platform. For OpenSSL in particular, the locations may be further modified by the SSL_CERT_DIR diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 893b30eb31a..25ee5be5b1b 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1986,7 +1986,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 sslmode=verify-ca or verify-full and have the appropriate root certificate file installed (). Alternatively the - system CA pool can be used using sslrootcert=system; in + system CA pool, as defined + by the SSL implementation, can be used using sslrootcert=system; in this case, sslmode=verify-full is forced for safety, since it is generally trivial to obtain certificates which are signed by a public CA.