diff options
| author | Daniel Gustafsson | 2025-04-04 07:47:36 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2025-04-04 07:47:36 +0000 |
| commit | c88b36d382ebb7925db9f713dcf5ad8ca1bbae71 (patch) | |
| tree | 1cb12daf71e29bfcc311d1293f70b1f635ae41bf /doc | |
| parent | aab422af95c395e01436f9fc0cb74ff96550143e (diff) | |
doc: Clarify the system value for sslrootcert
The documentation for the special value "system" for sslrootcert could
be misinterpreted to mean the default operating system CA store, which
it may be, but it's defined to be the default CA store of the SSL lib
used.
Backpatch down to v16 where support for the system value was added.
Author: Daniel Gustafsson <[email protected]>
Reviewed-by: George MacKerron <[email protected]>
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 16
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 2 | ||||
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index e3b74af96a6..789a6ec2486 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1999,7 +1999,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname </para> <para> The special value <literal>system</literal> may be specified instead, in - which case the system's trusted CA roots will be loaded. The exact + which case the trusted CA roots from the SSL implementation will be loaded. The exact locations of these root certificates differ by SSL implementation and platform. For <productname>OpenSSL</productname> in particular, the locations may be further modified by the <envar>SSL_CERT_DIR</envar> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 893b30eb31a..25ee5be5b1b 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1986,7 +1986,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 <literal>sslmode=verify-ca</literal> or <literal>verify-full</literal> and have the appropriate root certificate file installed (<xref linkend="libq-ssl-certificates"/>). Alternatively the - system CA pool can be used using <literal>sslrootcert=system</literal>; in + <link linkend="libpq-connect-sslrootcert">system CA pool</link>, as defined + by the SSL implementation, can be used using <literal>sslrootcert=system</literal>; in this case, <literal>sslmode=verify-full</literal> is forced for safety, since it is generally trivial to obtain certificates which are signed by a public CA. |