From f06c79b4dcc74e25671037e86733c3ba347201ef Mon Sep 17 00:00:00 2001
From: Greg Rychlewski <grychle@LLL7WPM64V5M.ngco.com>
Date: Tue, 25 Jun 2024 21:21:44 -0400
Subject: [PATCH 1/2] default to system certificate store

---
 lib/postgrex/protocol.ex | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/postgrex/protocol.ex b/lib/postgrex/protocol.ex
index 3a7f67bb..7fa02345 100644
--- a/lib/postgrex/protocol.ex
+++ b/lib/postgrex/protocol.ex
@@ -143,12 +143,18 @@ defmodule Postgrex.Protocol do
   end
 
   defp default_ssl_opts do
-    [
+    opts = [
       verify: :verify_peer,
       customize_hostname_check: [
         match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
       ]
     ]
+
+    try do
+      Keyword.put(opts, :cacerts, :public_key.cacerts_get())
+    rescue
+      _ -> opts
+    end
   end
 
   defp endpoints(opts) do

From a92f56276d173f6d7912b4566757b4548eab799b Mon Sep 17 00:00:00 2001
From: Greg Rychlewski <grychle@LLL7WPM64V5M.ngco.com>
Date: Tue, 25 Jun 2024 21:41:07 -0400
Subject: [PATCH 2/2] default ssl store

---
 lib/postgrex/protocol.ex | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/lib/postgrex/protocol.ex b/lib/postgrex/protocol.ex
index 7fa02345..ee173574 100644
--- a/lib/postgrex/protocol.ex
+++ b/lib/postgrex/protocol.ex
@@ -101,7 +101,7 @@ defmodule Postgrex.Protocol do
           Keyword.pop(opts, :ssl_opts, [])
 
         {ssl_opts, opts} when is_list(ssl_opts) ->
-          {Keyword.merge(default_ssl_opts(), ssl_opts), opts}
+          {ssl_opts(ssl_opts), opts}
       end
 
     transactions =
@@ -142,18 +142,26 @@ defmodule Postgrex.Protocol do
     connect_endpoints(endpoints, sock_opts ++ @sock_opts, connect_timeout, s, status, [])
   end
 
-  defp default_ssl_opts do
-    opts = [
-      verify: :verify_peer,
-      customize_hostname_check: [
-        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
-      ]
-    ]
+  defp ssl_opts(user_opts) do
+    opts =
+      Keyword.merge(
+        [
+          verify: :verify_peer,
+          customize_hostname_check: [
+            match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+          ]
+        ],
+        user_opts
+      )
 
-    try do
-      Keyword.put(opts, :cacerts, :public_key.cacerts_get())
-    rescue
-      _ -> opts
+    if Keyword.has_key?(opts, :cacertfile) or Keyword.has_key?(opts, :cacerts) do
+      opts
+    else
+      try do
+        Keyword.put(opts, :cacerts, :public_key.cacerts_get())
+      rescue
+        _ -> opts
+      end
     end
   end