Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vd9vT-00Eg91-2H
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 06 Jan 2026 16:28:56 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vd9vS-0099r8-0B
	for pgsql-hackers@arkaria.postgresql.org;
	Tue, 06 Jan 2026 16:28:54 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vd9vR-0099qp-2M
	for pgsql-hackers@lists.postgresql.org;
	Tue, 06 Jan 2026 16:28:54 +0000
Received: from mail-qt1-x82b.google.com ([2607:f8b0:4864:20::82b])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vd9vR-004YnC-05
	for pgsql-hackers@postgresql.org;
	Tue, 06 Jan 2026 16:28:53 +0000
Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-4ee19b1fe5dso11891611cf.0
        for <pgsql-hackers@postgresql.org>; Tue, 06 Jan 2026 08:28:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1767716932; x=1768321732; darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2U9I1wWrWg+31iABezXKGNPRTxKFJhZacfUzJU7EmQo=;
        b=JTTfyKjPNS/32ypVRlnoMCzbMBaat3rMvTdW9j/fJeNBGf9KD31WA+cMF9MTicj0oA
         BNus0jGfBAV2TR7KlT8mMTA5dPd4DgnJtaentGeWZoa0fO5qJSlZKBr6mmQig8C6crVM
         ir0oKD57PGT2kSW2ULaR1UFlRmuEgcm1EjepCoYfj5YdJ4C0cSQWe9SuBjq/7PFwDyNI
         mvtu6gnNIQsoY8QN4JoSeH6TpefaBNyeus6quU6csYu0PSTFZJXYC8X0RnNbgLrNcmYP
         mJHZV6YWttSKuhhUTHDkdEd0bmvNk9aqIvbTwtZvHppKfwRB2d73mnOolzDM2032L+Iu
         PP3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767716932; x=1768321732;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=2U9I1wWrWg+31iABezXKGNPRTxKFJhZacfUzJU7EmQo=;
        b=izFWhH7v48REY9lKNel+kbo91PtNUdH8lYaYdVpkoD+hZuJRa2B9S35/3FxtchhHzu
         Z+wKN51sZ973NyVISGpdUgWdSYATD5LeLW82VAjgUXBlgoQ5DvmN34PBgvWdGZHNiM1w
         kBagQ90mORvJ2ldZ5Bcr31E23OqjoDicpaVRv26ZOvANtor/5coR88h/i0CXjK/OPwMy
         NATJtPZWQl+cfNrJxHTXqvgQ9ZqBqtm2oXPOfYYxN0oFE3kh5HsdjaL+//D0iQz+FgCZ
         1BUdeWF/ona0Y3A0IhmpbuYBLZdOS35vyupwOxeEG/5eChpStqh+ZX+zPjl8GJUwQdsb
         P2qQ==
X-Forwarded-Encrypted: i=1; AJvYcCX6qCp7CO+4lWIbtE78zB2TQzTFZ76YFlnVuhAk1Lql9d9Psu2tUCgsAKAFTxWaFXAwiTpgewoPoSBJLYUV@postgresql.org
X-Gm-Message-State: AOJu0Yxa+mN9gIOWhssyLe62rn+4L2oWqWLYqjfPCNddvgQiJD5Fr4sB
	X6+t81eThIgFH5PCUDSvghyRzmT+gT5076eZ75spdVlUdpGog3vb/Mu2S63JbDEndiei221hQB1
	ZRDRMLLpFRTEa7LtzXK5gc+hR9KSP+f15znHORgOrlhoIYJoYT7kr1g==
X-Gm-Gg: AY/fxX4uXQUOZSzNjtCMb1U3lwL0R9easZNe+Nht6H4sLlz9sWK62YV0izF/xYDP9Ks
	iw5hIThL1R3kqBb9ZQdzhyi64DSqH0EN5xwV4Pl1i5ANFWyxtb/nbduUt/TNN6PMEbdhdEVCXzT
	fDF4eUdpir8Z/HCXKRKXNr0+3uXMaQ3jDIcla6SfEd/ZZ97yhDgnByoQtssdPjT7fDo/wyAS7lQ
	T/z2Aa0DFLY8vM8+E2zOYfbDg5QcaO+DmAvZr9qSqns0ZAqm+EBb4LE8JhdK7oP7i/7ysSOtA==
X-Google-Smtp-Source: AGHT+IF4leHI4z/+LC7apL6eTPXOLelgSVeUqhiid9xrdA8nu2a7QwPXRTjo4k1/Or7nU/zVWVs7YXkbS2FsCc3SjEs=
X-Received: by 2002:a05:622a:2486:b0:4ec:eec7:4850 with SMTP id
 d75a77b69052e-4ffa77baf24mr42944211cf.44.1767716931849; Tue, 06 Jan 2026
 08:28:51 -0800 (PST)
MIME-Version: 1.0
References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com>
 <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> <CAOYmi+=fbZNJSkHVci=GpR8XPYObK=H+2ERRha0LDTS+ifsWnw@mail.gmail.com>
 <CAN4CZFPhm2NCRWzZpX=kRLqyxu4Ps-d0xE5W75a-iDoKrLbXBw@mail.gmail.com>
 <CAOYmi+=HcXJub1rDsQ7vpKMHuBB6NTA2Z5T=zAkaFdRThf+9zg@mail.gmail.com>
 <b08bf613bba131eaf15ac163d84604db452d4fde.camel@gmail.com>
 <CAOYmi+mMx1DnNpKG8RdknH0-GuPR9jv+G9r2iFND=Yve7DOF6g@mail.gmail.com>
 <7a0464f0c05db689eb97ba963b212d477d03f5a3.camel@gmail.com>
 <CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com> <711e10411f81a2f554fec97b340b60abf5331c9a.camel@gmail.com>
In-Reply-To: <711e10411f81a2f554fec97b340b60abf5331c9a.camel@gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Tue, 6 Jan 2026 08:28:39 -0800
X-Gm-Features: AQt7F2ogNfSAS6xA9It6yeEo3advsTiLpAHtzP0Qp-v8Tri8mOU71bYOCvwa44c
Message-ID: <CAOYmi+mTHahYXqBZH-bE1Z3Yc5SJ0gTHsM69LSVna2h7ftgVzQ@mail.gmail.com>
Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode
To: "Jonathan Gonzalez V." <jonathan.abdiel@gmail.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, Daniel Gustafsson <daniel@yesql.se>, 
	PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2BmTHahYXqBZH-bE1Z3Yc5SJ0gTHsM69LSVna2h7ftgVzQ%40mail.gmail.com>
Precedence: bulk

On Tue, Jan 6, 2026 at 12:45=E2=80=AFAM Jonathan Gonzalez V.
<jonathan.abdiel@gmail.com> wrote:
> I will for sure still allow an environment variable too like OAUTH_CA
> or OAUTH_CA_FILE, just because environment variable for these
> parameters is widely used, just like in curl[1] has cacert_file and
> support for CURL_CA_BUNDLE, both options make sure that users may not
> be limited.

Right -- I hadn't meant that you should remove the PGOAUTHCAFILE
envvar from your patch, just that an oauth_ca_file parameter should be
added as well.

> I already worked a patch (before this one) to add an option to pass the
> CA but I discarded that because I didn't thought it was going to be
> accepted, I can rework that with all the ideas, but, what do you think
> about creating a wiki page with all the ideas to manage the
> certificates?

You're more than welcome to add any wiki pages you think would be
useful -- you certainly don't need my permission :D

If you don't have edit access yet, see

    https://wiki.postgresql.org/wiki/WikiEditing

> probably the CA will require to also add some skip or
> insecure options, full bundles and how to build them, etc.

I'm not quite sure what you mean by these, but it might be easier to
read the wiki page you had in mind and comment on that.

Thanks!
--Jacob