From: Magnus Hagander Date: Sat, 24 Sep 2011 12:29:37 +0000 (+0200) Subject: Note that sslmode=require verifies the CA if root cert is present X-Git-Tag: REL9_0_6~51 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=05c4ef629532ebe6a8f13e6c42cda8a3ea0bd34e;p=postgresql Note that sslmode=require verifies the CA if root cert is present This mode still exists for backwards compatibility, making sslmode=require the same as sslmode=verify-ca when the file is present, but not causing an error when it isn't. Per bug 6189, reported by Srinivas Aji --- diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index cff2e2a021..e9c24ad543 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -391,7 +391,9 @@ PGconn *PQconnectdbParams(const char **keywords, const char **values, int expand require - only try an SSL connection + only try an SSL connection. If a root CA + file is present, verify the certificate in the same way as + if verify-ca was specified @@ -6512,6 +6514,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) the connection parameters sslrootcert and sslcrl or the environment variables PGSSLROOTCERT and PGSSLCRL. + + + + For backwards compatibility with earlier versions of PostgreSQL, if a + root CA file exists, the behavior of + sslmode=require will be the same + as that of verify-ca, meaning the sever certificate + is validated against the CA. Relying on this behavior is discouraged, + and applications that need certificate validation should always use + validate-ca or validate-full. + +