When using PGSSLROOTCERT, Npgsql shouldn't use additional certificates from the system CA store

[Tolsto]

Current Behavior

When setting PGSSLROOTCERT or the Root Certificate configuration to a file containing a root CA certificate, npgsql uses that certificate in addition to the system CA store rather than exclusively.

Expected Behavior

Npgsql should use only the provided root CA certificate for chain verification, not the system store. This is consistent with other PostgreSQL tools like the psql CLI which exclusively uses the specified root CA certificate for verification.

Impact

The current implementation potentially compromises security as the system CA store may contain certificates from untrusted sources. When users explicitly specify a root CA certificate, they typically intend to restrict certificate chain verification to only that trusted authority.

[vonzshik]

Originally, it was done so to align with the way certificate validation is done in .NET world (SqlClient is the biggest example).

We discussed this further offline, and we'll change this to align with libpq behavior for Npgsql 10.