> On 25 Apr 2025, at 15:40, George MacKerron <george@mackerron.co.uk> wrote:
>
>> On 25 Apr 2025, at 13:53, Daniel Gustafsson <daniel@yesql.se> wrote:
>>>
>>>> (2) sslrootcert=system on Windows doesn’t do a thing that would be extremely useful in some common situations.
Namely:connecting securely to servers that present a certificate signed by a public CA.
>>>
>>> Just to be clear, does (2) happens when the OpenSSL installation has a bogus
>>> OPENSSLDIR value, or does it happen regardless?
>>
>> I would still like to get clarity on this, do you have any insights here?
>
> I can tell you what happens on my Windows 11 system with Postgres 17 via the EDB installer, which has a non-bogus
OPENSSLDIR.
Thanks for confirming.
> OpenSSL appears to have been built with OPENSSLDIR="C:\Program Files\Common Files\SSL".
>
> This is a valid path, the directory exists, and it contains a few *.cnf files. I’m pretty sure the EDB installer
created..
It did, CVE-2019-10211 has more details.
> ..and populated this directory.
The contents most likely come from building OpenSSL, by the sounds of it that's
the stock OPENSSLDIR setup.
--
Daniel Gustafsson
