1: 84f67249e6 ! 1: 18fd368e0e libpq: add sslrootcert=system to use default CAs
@@ doc/src/sgml/libpq.sgml: postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
+ they control, rendering the verify-ca mode useless.
+
+
++
++
++ The magic system value will take precedence over a
++ local certificate file with the same name. If for some reason you find
++ yourself in this situation, use an alternative path like
++ sslrootcert=./system instead.
++
++
2: 11b69d0bc0 ! 2: ba09e1d83f libpq: force sslmode=verify-full for system CAs
@@ doc/src/sgml/libpq.sgml: postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
+ weaker modes useless.
-
-+
-
-
-
+-
+
+ The magic system value will take precedence over a
+ local certificate file with the same name. If for some reason you find
## doc/src/sgml/runtime.sgml ##
@@ doc/src/sgml/runtime.sgml: pg_dumpall -p 5432 | psql -d postgres -p 5433
@@ src/interfaces/libpq/fe-connect.c: connectOptions2(PGconn *conn)
+ && strcmp(conn->sslmode, "verify-full") != 0)
+ {
+ conn->status = CONNECTION_BAD;
-+ libpq_append_conn_error(conn, "weak sslmode \"%s\" may not be used with sslrootcert=system",
++ libpq_append_conn_error(conn, "weak sslmode \"%s\" may not be used with sslrootcert=system (use verify-full)",
+ conn->sslmode);
+ return false;
+ }
@@ src/interfaces/libpq/fe-connect.c: conninfo_add_defaults(PQconninfoOption *optio
+ if (sslrootcert->val && strcmp(sslrootcert->val, "system") == 0)
+ {
+ free(sslmode_default->val);
++
+ sslmode_default->val = strdup("verify-full");
++ if (!sslmode_default->val)
++ {
++ if (errorMessage)
++ libpq_append_error(errorMessage, "out of memory");
++ return false;
++ }
+ }
+ }
+