Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vd2gy-00DIZ1-0o for pgsql-hackers@arkaria.postgresql.org; Tue, 06 Jan 2026 08:45:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vd2gw-0075C6-02 for pgsql-hackers@arkaria.postgresql.org; Tue, 06 Jan 2026 08:45:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vd2gv-0075By-1r for pgsql-hackers@lists.postgresql.org; Tue, 06 Jan 2026 08:45:26 +0000 Received: from mail-ej1-x634.google.com ([2a00:1450:4864:20::634]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vd2gu-004Tcv-1J for pgsql-hackers@postgresql.org; Tue, 06 Jan 2026 08:45:25 +0000 Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-b7ffbf4284dso114171366b.3 for ; Tue, 06 Jan 2026 00:45:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767689122; x=1768293922; darn=postgresql.org; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=3UkCoaVSCBx6wr4N+0dtIEioAONdkH5vZGcuC+5stYU=; b=M/tBD/zNma9Z5BpkIiDMk+G6PUukmeyOWAFTc0BGkT6y3Pajnlud1sJuLozYzXhA1d e9eEQqPEGmSpM6aKW1zc0bslRTBp4N7OAimISgrrbzwJEKFnELxWrU7GMAKsF5n7xMcK CcYJBEOPsK8N7yf99x1Kn18KsUrnKd5JuVKqp/H/KZQaT/RBobiSyqDK4uUvNFFBRfdn G/+QJynVr/esQcyGqsHVZFvCdNXsSCcL/QUCVWy59bbxOOG+yp+lfKIgQypNGdSXYbEn H9nUHWEZNxUmOeHMuCXV4Slq9tcbMa/sZsruN+NViWGoBr6niM3B38TpFB3Mpsud5Rp2 OKrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767689122; x=1768293922; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3UkCoaVSCBx6wr4N+0dtIEioAONdkH5vZGcuC+5stYU=; b=NIihKPo95yKiGLY5Whubj2Dl/lYWBc78lwEc7qqnzrBw3JxTutJ4Ae+e60Ljx0Bj1c nQuNw3A5oAeOEpkATkfkzqKOuimLE9m7GzJwpo1GcbN59eS/WQ6ICVCVioxsg5WBKh6A bRbs1OwSbTZRbAqdADptlI7hjG0KWAKeLQuiDcr3b0URqpYjg0Xz50nlzzA8lj2OD1xR pcVGjSlGTNb3mVio/eZtO/ByPSGu7rTvVFi52RJNqsWJq7lp7VaJ7ISj5FAC6/zshu2e suFfo0j+ZqZWLtPbjsAyeeTz6Pm4C8r8VMpKWep6WxTKl+r2HTyUrw+mJ+aWhL/TNlPM WHTQ== X-Forwarded-Encrypted: i=1; AJvYcCW1T1mdCV4frTQu4j+AizVSQFkixm4GMwRdLbevBQU4qwQvUcoojHUjoVl7y66heEMuKX7pZOpAtohqN25B@postgresql.org X-Gm-Message-State: AOJu0Yz1MLgODKCbgANLVoN8xwYOBdPx5VFgtMIE90aZQ8/oSBxTjIyb 3qh6agYUujVq3qCkLQ2XFgf4y29UdPx1XPGkrIFp3BGzVWnz+BhJZ7Q= X-Gm-Gg: AY/fxX7pr3Ee2YgUVpgbZjECjWAFat8IJCTf+sqkrKjNRKEGPsagc0H0N/Cbl3b8wIA jGG60ssC100mCeH45kL7Io/0Op1fjxlB2qyQsQuzPO/PCpQYfSAGqYaPdL7hjNqy1jP3I38HaxU cXs5RU1fLHdeQYmyuTZpnef/68b9Os3bs+bV55hsKZYYQ5AW8dCfkL1EZKC9cDrA0QARagv+sTN MvB00iSFxYqGfDEelSdmwEZQPAe6Daoeas7bsIsEbYblO9Fiqk+oKdNIf3tEvuMa83G49PKhEDX 9vNPLj8txXezu0z859UXnU6LEx/Q8t++lzyTm2A0+ZsU7c1VX1rKIfhGLObhksRst7gQuoHyRlR 0sSGHZY+bYqrclJeX7PbWR2qjCiXBcRRGk8rO6e/IWd4OjVt3TCC0ZffuoLf62VLJ9pwxc219oR cqOLhyKE9+uaor1Ewy5d5wf3WL1FArWFf3To7IhaMrCGao4/dKr7GOMQMJoE9DFe6mv4eJjxZkZ n7Z8J6QWNaSfRfCYc7jqEOVDQOX6GOmiQhwLP4tWxqKuTpdpHh7Sxyezyhap77B46dDGJOxOjQX EdUQzgwwteO5cYfGPQXrHXbznpPj5t32EDOsOX39JsVXIcxjiJkAdTMb X-Google-Smtp-Source: AGHT+IFIqcWymgJDqe1Jxn4owFYqyrbs+Ms4NpjynGI9B4VTyG3GEiy4bWXsbMZ/lrQy20sm7STBcw== X-Received: by 2002:a17:907:c1e:b0:b80:1348:226e with SMTP id a640c23a62f3a-b8426bff445mr269467066b.33.1767689122244; Tue, 06 Jan 2026 00:45:22 -0800 (PST) Received: from 2001-1c00-241c-f600-9340-c764-c74b-b65d.cable.dynamic.v6.ziggo.nl (2001-1c00-241c-f600-9340-c764-c74b-b65d.cable.dynamic.v6.ziggo.nl. [2001:1c00:241c:f600:9340:c764:c74b:b65d]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b842a4d1c6csm164069066b.39.2026.01.06.00.45.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 00:45:21 -0800 (PST) Message-ID: <711e10411f81a2f554fec97b340b60abf5331c9a.camel@gmail.com> Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode From: "Jonathan Gonzalez V." To: Jacob Champion Cc: Zsolt Parragi , Daniel Gustafsson , PostgreSQL Hackers In-Reply-To: References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> <7a0464f0c05db689eb97ba963b212d477d03f5a3.camel@gmail.com> Autocrypt: addr=jonathan.abdiel@gmail.com; prefer-encrypt=mutual; keydata=mQINBF1Rbm8BEADc2lW3toboDjMLry1spo/hxUiMKlA+CDCMwXPZPvyB4TGCQAVYnU+gS NgBJ8H7CF8ghllm9OYeqdRoRvr1unQN5RUShUWTsLhznUu5KV0KfhFbEjQyH7lDeVCzMRNr5r27QT RrmycqAacistMqtjfnsG/j8+HQU9tLrOdnhsxIRUZN/guHBEwx3LVp77lf9HMWabnSgGQVOqhUzA6 P97j8oWRwQNDZjHFVf5k4HMHJRp8OzcvXUOSa+ynH33xBsrLPDza0X6y7pZlfYbmjXdwU/XKSd7oB 4BeChFbrmdilIeSAGKLAHURH9jKeRxDt9pzYMvsIiK9UZlThnEgAVM2IqQzhnzd4jxG13Hi8HZ82O 2Ng4n36kVh5uz0NoIGJ6Guw9R+gqHHxbeSdt8S0P+2VO80UTX+hF7OPbLjE7w8wsTt37Ekp+jRxUs RooShDvnUENiw+TkyPszUZ0k9BZmfwcaC3++WDYyWvGK20wty3ZZMjl69SDdQXQaRu8E59leIpKw6 p8HBBAGZgytVPUN61w52r9dgX9RW0ujBrEztRNWPaDauedKGCXrL678mq7KwYW6Rg+y9orvZJPLUq Z7/m8RJUaeuJdz2LJ2bioUJ2BaPX7YxXdqMm9LZWknzy/pyF8iZHXD5D3H+WNJROlcQ6TQNLqUB11 KRK0koNeqiNbwARAQABtDlKb25hdGhhbiBHb256YWxleiBWLiA8am9uYXRoYW4uZ29uemFsZXpAZW 50ZXJwcmlzZWRiLmNvbT6JAlQEEwEKAD4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD6 5ytnQRUDy/MNDze8Kc6UcxQUCZ6trnAUJDDswrQAKCRBDze8Kc6UcxaPWD/4lqAiJJjJaB1DXblDi 9SKUSCDg9jGAj9rZUjIsI4bhznxtMwGQfaH7AlmjYtnOgUNZJz1cQ8v2Qv2gR2sXu5BCosPCuOuww +v5vUa+88ydXxnUOs1fVwXrqSKciohhEuZA5vYfcSolgHavEjF4v/W+SB8+7CyJm4sEZauk2Q8gHp In0l2zpTDig2pyp/POM+8FFWzq8fDgMc9AjU+ePIfqMXXSCcLUB8mAUaBrYU3Ezwa/29H5fhvKBJ6 fIFgr4V7dPlTaMhMRlG7Kt4aecjp2TMhoH5da1a2r7CUFHDx7RL7UEMaNYJnEa2IhcwH06cdQl7BY lBhfzy2dvfYvNTrhiUGGLRIS4xwsxJtRYBytOKYO6rZLjsEgHcW3B8DHG3YALc1BVpdCFj030jZ/y oaiHxjs9ZPUuUVqnp21hE5MwczKLzutDk2Mm8hYtGpfAxikOetFkiYxKeBVQsN6za4ff/iLKNrZfj qEk7E28NEg0fY4eYoMXZT8WlTRJOancVVuRtjLyQ+D4hET2qBIMhoXQ27YPWowmG6oxyM531j89wt OTsH3yuV4VnWc02MGrgi+lYPeKk0KUk3pcmwHB2GqDxZS6aSyX7k7jNOiHYN/dY1W6QslOrQggmkZ +QaKtn9YeOx2aZ7CWLiiTVYK4W2Kii9pS71XhcJrMAldvJAeurQwSm9uYXRoYW4gR29uemFsZXogV i4gPGpvbmF0aGFuLmFiZGllbEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQ gLBRYCAwEAFiEEEmw+ucrZ0EVA8vzDQ83vCnOlHMUFAmera5wFCQw7MK0ACgkQQ83vCnOlHMVWbxA AxQiwerHqAoq1ahb0uaCiw6eLpEXFbDD7a5BcILo5/lNtill8qkRP1wRdL7iPZWhGRyd4nQB6q1fK vggf6PkQGv2I35kq3/30sT+7TDXla6UFPyI012ipaU/7WW14ipZLeU+/rvUbdKMcWpEYTMHU89w2C Z9LSVHkxm1v3SvkOw1DgnUQvA11L4pzZVtTDluER717y2B0tlo43qMYGjlVNNWAuxHnAzJWC4Acj5 j0XgADAW78h+zFQfQ+b5znRC6tv9C4Pf5vRiw0TaMD2Tn6b8BTpflBX7zh0CINPUsrD8SEw0uZcCv JeSmZSHiHeS8uHcHVIxoxj1d5mcT18tyFC3n2JCfR4RkK/zNYXhBBRJbmiWmFqvzesSQEsGOu3G8X kvZGlN8RBFkj5ScZ4gWjsXwxGv2Hrf8FILycCcS2xkD2Sp2JBfZFHSvi2OI1ItHyrcXiBOSXZu6MU fyJoIWFQDkWkQcWPHxO9n7ZA+c+ACaBtW7rfEoCXYSk4pnUUj6eXA1meY1DI71G39O3k6B5T/yzdL k5h7H3R3ITpGvFNhePjuIYcbdF7stAcc7e46PzjFnApwmG27qXBE8agYtCYMwqcYweMzWvyzAtX3x 9BE8BIicy944IZnQmnhsNn5zT4HXl8xCBedEnYv/qdw32bp7qFhkn6/xNemwhgEFjgNC0N0pvbmF0 aGFuIEdvbnphbGV6IFYgPGpvbmF0aGFuLmdvbnphbGV6QDJuZHF1YWRyYW50LmNvbT6JAlQEEwEKA D4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD65ytnQRUDy/MNDze8Kc6UcxQUCZ6trnA UJDDswrQAKCRBDze8Kc6UcxY0OD/9svV6f/BSn6OsZ+nIe5birEIEejiU3rEVORNmDxYalHt0MLay YYFRC7WV6Hds/EsokUO+rkqpjXVh8Ee0IIvTolNWgGzW4ZaguP7G+RqXAGndDpT31wG588Ft0fkeN 0Y6+2odoUHNeXkzgLddNrQN3iXlWnfQLMEWBo/uvEpPMls+fO6zvArnrxsMpeS5i2c/BQoN3A2VBr Pk9mQBKoyU+fCQEsTwUl4THVAma4LoXvgd9PZSI9yWUZ1KK2Wb6XnZKqIEv6QN2qIy+g9KqGiUM+6 H4q0D3SDtDaZFrzi3l8ql9iCflgL5fe6gvvU3lmLfRpBrNROfuWSL+Xm+TKClX9PHJ2nAUzgGu8M7 egSXzGhBVvYxKNMqmgpOy6LRa01T9/bfSfMB4zyrEpJm8GRKBDochFEVX+ZDJSGFtgdV9KXSEpe0+ Ei+dOdmptPjeLEtvY7/JtYO/7/ByIGrkZjSGP3L3urShTo1gs6gbIYaXeuSfRpzJ1cy8WepOjTxP2 j52IiH/CIjiXjmzD2KZ0ETyZn3eQY2E/ROqsGmBonTo/xrg2PuSSRbP9xeW9H8LVn0Vh+YRKlUnVn Cn1qQsrrZGEl6FFXI3P1n04mslSzWrlgCjOHJfhbbxqcvLkY2tnPv3vX/b+vd1HmihKz5UpijmBFQ oQ0KXJ6d0Ud8Vdn/b0A== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 06 Jan 2026 09:40:20 +0100 MIME-Version: 1.0 User-Agent: Evolution 3.56.2-4 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! On Mon, 2026-01-05 at 10:37 -0800, Jacob Champion wrote: >=20 > See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group=A0for > a current list of tagged [oauth] proposals. Or is that not what > you're > asking about? Not specifically, but that will work more than fine for sure! Thank you! >=20 > Right, and I'm not. I guess that's the main disconnect here: I'm only > talking about enabling and disabling the features exposed by > PGOAUTHDEBUG. I don't think a debug level helps with that, which is > why I proposed a bitmap. >=20 > But that's a feature for a different thread name. I think we should > continue this one by adding an oauth_ca_file connection parameter and > documentation, including the default behavior (which defers to Curl). >=20 >=20 Ok, promoting this to something external to the debug makes a lot of sense to me, that will help a lot to increase the possible usage of this parameter. I will for sure still allow an environment variable too like OAUTH_CA or OAUTH_CA_FILE, just because environment variable for these parameters is widely used, just like in curl[1] has cacert_file and support for CURL_CA_BUNDLE, both options make sure that users may not be limited. I already worked a patch (before this one) to add an option to pass the CA but I discarded that because I didn't thought it was going to be accepted, I can rework that with all the ideas, but, what do you think about creating a wiki page with all the ideas to manage the certificates? probably the CA will require to also add some skip or insecure options, full bundles and how to build them, etc. Regards! [1] https://curl.se/docs/sslcerts.html --=20 Jonathan Gonzalez V. EnterpriseDB