> On 29 Apr 2024, at 21:06, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> Oh I was not aware sslrootcert=system works like that. That's a bit surprising, none of the other ssl-related
settingsimply or require that SSL is actually used. Did we intend to set a precedence for new settings with that?
It was very much intentional, and documented, an sslmode other than verify-full
makes little sense when combined with sslrootcert=system. It wasn't intended
to set a precedence (though there is probably a fair bit of things we can do,
getting this right is hard enough as it is), rather it was footgun prevention.
--
Daniel Gustafsson