1:  7618037c86 ! 1:  e7e2d43b18 libpq: add sslrootcert=system to use default CAs
    @@ src/interfaces/libpq/fe-secure-openssl.c: initialize_SSL(PGconn *conn)
     +		{
     +			char	   *err = SSLerrmessage(ERR_get_error());
     +
    -+			appendPQExpBuffer(&conn->errorMessage,
    -+							  libpq_gettext("could not load system root certificate paths: %s\n"),
    -+							  err);
    ++			libpq_append_conn_error(conn, "could not load system root certificate paths: %s",
    ++									err);
     +			SSLerrfree(err);
     +			SSL_CTX_free(SSL_context);
     +			return -1;
    @@ src/interfaces/libpq/fe-secure-openssl.c: initialize_SSL(PGconn *conn)
      	{
      		X509_STORE *cvstore;
      
    +@@ src/interfaces/libpq/fe-secure-openssl.c: initialize_SSL(PGconn *conn)
    + 			 */
    + 			if (fnbuf[0] == '\0')
    + 				libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
    +-								   "Either provide the file or change sslmode to disable server certificate verification.");
    ++								   "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
    + 			else
    + 				libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
    +-								   "Either provide the file or change sslmode to disable server certificate verification.", fnbuf);
    ++								   "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
    + 			SSL_CTX_free(SSL_context);
    + 			return -1;
    + 		}
     
      ## src/test/ssl/ssl/server-cn-only+server_ca.crt (new) ##
     @@
2:  c392e1796e ! 2:  e4d9731e1e libpq: force sslmode=verify-full for system CAs
    @@ src/interfaces/libpq/fe-connect.c: connectOptions2(PGconn *conn)
     +		&& strcmp(conn->sslrootcert, "system") == 0)
     +	{
     +		conn->status = CONNECTION_BAD;
    -+		appendPQExpBuffer(&conn->errorMessage,
    -+						  libpq_gettext("sslrootcert value \"%s\" invalid when SSL support is not compiled in\n"),
    -+						  conn->sslrootcert);
    ++		libpq_append_conn_error(conn, "sslrootcert value \"%s\" invalid when SSL support is not compiled in",
    ++								conn->sslrootcert);
     +		return false;
     +	}
     +#endif
    @@ src/interfaces/libpq/fe-connect.c: connectOptions2(PGconn *conn)
     +		&& strcmp(conn->sslmode, "verify-full") != 0)
     +	{
     +		conn->status = CONNECTION_BAD;
    -+		appendPQExpBuffer(&conn->errorMessage,
    -+						  libpq_gettext("weak sslmode \"%s\" may not be used with sslrootcert=system\n"),
    -+						  conn->sslmode);
    ++		libpq_append_conn_error(conn, "weak sslmode \"%s\" may not be used with sslrootcert=system",
    ++								conn->sslmode);
     +		return false;
     +	}
     +#endif