From 33e81fdfaf6a8d92451cd780e5619ac5be0b44c9 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sat, 24 Sep 2011 14:25:12 +0200
Subject: [PATCH] Note that sslmode=require verifies the CA if root cert is
present
This mode still exists for backwards compatibility, making
sslmode=require the same as sslmode=verify-ca when the file is present,
but not causing an error when it isn't.
Per bug 6189, reported by Srinivas Aji
---
doc/src/sgml/libpq.sgml | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 163a893fb96..48689a7df23 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -420,7 +420,9 @@ PGconn *PQconnectdbParams(const char **keywords, const char **values, int expand
<term><literal>require</literal></term>
<listitem>
<para>
- only try an <acronym>SSL</> connection
+ only try an <acronym>SSL</> connection. If a root CA
+ file is present, verify the certificate in the same way as
+ if <literal>verify-ca</literal> was specified
</para>
</listitem>
</varlistentry>
@@ -6732,6 +6734,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
the connection parameters <literal>sslrootcert</> and <literal>sslcrl</>
or the environment variables <envar>PGSSLROOTCERT</> and <envar>PGSSLCRL</>.
</para>
+
+ <note>
+ <para>
+ For backwards compatibility with earlier versions of PostgreSQL, if a
+ root CA file exists, the behavior of
+ <literal>sslmode</literal>=<literal>require</literal> will be the same
+ as that of <literal>verify-ca</literal>, meaning the sever certificate
+ is validated against the CA. Relying on this behavior is discouraged,
+ and applications that need certificate validation should always use
+ <literal>validate-ca</literal> or <literal>validate-full</literal>.
+ </para>
+ </note>
</sect2>
<sect2 id="libpq-ssl-clientcert">
--
GitLab