Re: Making sslrootcert=system work on Windows psql

> On Thu, 24 Apr 2025 at 23:52, Jelte Fennema-Nio <postgres@jeltef.nl> wrote:
>
>> How about we add a *compile time*
>> option that allows the person that compiles libpq to choose which cert
>> store it should use if sslrootcert=system is provided. Something like
>> --system-cert-store=openssl and --system-cert-store=winstore flags for
>> ./configure.
>
> @George So basically my suggestion is to make the behaviour that your
> patch introduces configurable at compile time. FWIW my vote would
> probably be to default to --system-cert-store=winstore if it's
> available. And then --system-cert-store=openssl would be a way out for
> people that took the effort to configure openssl correctly on Windows.

👍 I think that’s a pretty nice idea.

On the other hand, what are the specific objections to doing it dynamically, the way my patch does? I think that has
backwards-compatibilityquite well covered. 

Is the main concern that users may be surprised that the behaviour of psql changes if they later set one of the OpenSSL
environmentvariables or put cert files in OPENSSLDIR? I feel like that would be quite rare and also a pretty safe
failuremode.