Usage of the system truststore for SSL certificate validation

Hi,

currently, libpq does SSL cerificate validation only against the defined
`PGSSLROOTCERT` file.

Is there any specific reason, why the system truststore ( at least under
unixoid systems) is not considered for the validation?

We would like to contribute a patch to allow certificate validation against
the system truststore. Are there any opinions against it?


A little bit background for this:

Internally we sign the certificates for our systems with our own CA. The CA
root certificates and revocation lists are distributed via puppet and/or
packages on all of our internal systems.

Validating the certificate against this CA requires to either override the
PGSSLROOTCERT location via the environment or provide a copy of the file for
each user that connects with libpq or libpq-like connectors.

We would like to simplify this.


--
Thomas Berger

PostgreSQL DBA
Database Operations

1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany