Conversation
|
The failing test seems unrelated to this patch. |
|
Any chance to get this PR done? |
|
This project is in maintenance mode (https://github.com/lib/pq#status), but I can merge this patch if it gets rebased to resolve conflicts, and tests are added. |
|
Sorry, missed that information. In that case, I guess it's not worth it. |
If the sslrootcert option hasn't been specified, use ~/.postgresql/root.crt if it exists (or %APPDATA%\postgresql\root.crt on Windows). This is what libpq does. See - https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-CONNECT-SSLROOTCERT - https://www.postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES
pschultz
force-pushed
the
default-root-ca-file
branch
from
b296a77 to
2f89da5
Compare
|
I rewrote the patch on top of master and added a test. The patch is now simpler than before and will now also work on Windows. |
|
I'm currently changing the existing tests and only just now realized that this PR will change the behavior when sslrootcert is absent or empty from using system CAs to failing (unless ~/.postgresql/root.crt exists). I'm not convinced anymore that that is a good idea, even if it matches libpq's behavior (which never considers system CAs as far as I can tell). WDYT? |
TestDefaultRootCert removed because it is a complex test that is redundant with TestSSLVerifyCA* and TestSSLVerifyFull*.
As a rule I'd say that matching libpq is usually the best course of action, as that's the least surprising. It looks like pgx also looks at ~/.postgresql/root.crt So seems okay? I pushed an updated version here by the way: https://github.com/lib/pq/tree/root.crt – I made some changes to how it gets the user home path that conflict. |
4 participants
If the sslrootcert option hasn't been specified, use ~/.postgresql/root.crt if it exists.
This is what libpq does.