doc: Clarify the system value for sslrootcert

danielgustafsson · danielgustafsson · commit dda1b0603523 · 2025-04-04T09:47:36.000+02:00
The documentation for the special value "system" for sslrootcert could be misinterpreted to mean the default operating system CA store, which it may be, but it's defined to be the default CA store of the SSL lib used. Backpatch down to v16 where support for the system value was added. Author: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: George MacKerron <george@mackerron.co.uk> Discussion: https://postgr.es/m/B3CBBAA3-6EA3-4AB7-8619-4BBFAB93DDB4@yesql.se Backpatch-through: 16
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
@@ -1878,7 +1878,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
        </para>
        <para>
         The special value <literal>system</literal> may be specified instead, in
-        which case the system's trusted CA roots will be loaded. The exact
+        which case the trusted CA roots from the SSL implementation will be loaded. The exact
         locations of these root certificates differ by SSL implementation and
         platform. For <productname>OpenSSL</productname> in particular, the
         locations may be further modified by the <envar>SSL_CERT_DIR</envar>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
@@ -2009,7 +2009,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    <literal>sslmode=verify-ca</literal> or
    <literal>verify-full</literal> and have the appropriate root certificate
    file installed (<xref linkend="libq-ssl-certificates"/>). Alternatively the
-   system CA pool can be used using <literal>sslrootcert=system</literal>; in
+   <link linkend="libpq-connect-sslrootcert">system CA pool</link>, as defined
+   by the SSL implementation, can be used using <literal>sslrootcert=system</literal>; in
    this case, <literal>sslmode=verify-full</literal> is forced for safety, since
    it is generally trivial to obtain certificates which are signed by a public
    CA.
