Note that sslmode=require verifies the CA if root cert is present

This mode still exists for backwards compatibility, making sslmode=require the same as sslmode=verify-ca when the file is present, but not causing an error when it isn't. Per bug 6189, reported by Srinivas Aji
2011-09-24 14:25:12 +02:00 · 2011-09-24 14:25:12 +02:00 · 33e81fdfaf
commit 33e81fdfaf
parent 4c5d837e69
1 changed files with 15 additions and 1 deletions
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@ -420,7 +420,9 @@ PGconn *PQconnectdbParams(const char **keywords, const char **values, int expand
             <term><literal>require</literal></term>
             <listitem>
              <para>
-               only try an <acronym>SSL</> connection
+               only try an <acronym>SSL</> connection. If a root CA
+               file is present, verify the certificate in the same way as
+               if <literal>verify-ca</literal> was specified
              </para>
             </listitem>
            </varlistentry>
@ -6732,6 +6734,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
   the connection parameters <literal>sslrootcert</> and <literal>sslcrl</>
   or the environment variables <envar>PGSSLROOTCERT</> and <envar>PGSSLCRL</>.
  </para>
+
+  <note>
+   <para>
+    For backwards compatibility with earlier versions of PostgreSQL, if a
+    root CA file exists, the behavior of
+    <literal>sslmode</literal>=<literal>require</literal> will be the same
+    as that of <literal>verify-ca</literal>, meaning the sever certificate
+    is validated against the CA. Relying on this behavior is discouraged,
+    and applications that need certificate validation should always use
+    <literal>validate-ca</literal> or <literal>validate-full</literal>.
+   </para>
+  </note>
 </sect2>

 <sect2 id="libpq-ssl-clientcert">