NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit33e81fd

committed

Note that sslmode=require verifies the CA if root cert is present

This mode still exists for backwards compatibility, makingsslmode=require the same as sslmode=verify-ca when the file is present,but not causing an error when it isn't.Per bug 6189, reported by Srinivas Aji

1 parent4c5d837 commit33e81fdCopy full SHA for 33e81fd

File tree

1 file changed

+15

-1

lines changed

doc/src/sgml
- libpq.sgml

1 file changed

+15

-1

lines changed

`‎doc/src/sgml/libpq.sgml`

Lines changed: 15 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -420,7 +420,9 @@ PGconn PQconnectdbParams(const char keywords, const char *values, int expand`
`420`	`420`	`<term><literal>require</literal></term>`
`421`	`421`	`<listitem>`
`422`	`422`	`<para>`
`423`		`- only try an <acronym>SSL</> connection`
	`423`	`+ only try an <acronym>SSL</> connection. If a root CA`
	`424`	`+ file is present, verify the certificate in the same way as`
	`425`	`+ if <literal>verify-ca</literal> was specified`
`424`	`426`	`</para>`
`425`	`427`	`</listitem>`
`426`	`428`	`</varlistentry>`
`@@ -6732,6 +6734,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)`
`6732`	`6734`	`the connection parameters <literal>sslrootcert</> and <literal>sslcrl</>`
`6733`	`6735`	`or the environment variables <envar>PGSSLROOTCERT</> and <envar>PGSSLCRL</>.`
`6734`	`6736`	`</para>`
	`6737`	`+`
	`6738`	`+ <note>`
	`6739`	`+ <para>`
	`6740`	`+ For backwards compatibility with earlier versions of PostgreSQL, if a`
	`6741`	`+ root CA file exists, the behavior of`
	`6742`	`+ <literal>sslmode</literal>=<literal>require</literal> will be the same`
	`6743`	`+ as that of <literal>verify-ca</literal>, meaning the sever certificate`
	`6744`	`+ is validated against the CA. Relying on this behavior is discouraged,`
	`6745`	`+ and applications that need certificate validation should always use`
	`6746`	`+ <literal>validate-ca</literal> or <literal>validate-full</literal>.`
	`6747`	`+ </para>`
	`6748`	`+ </note>`
`6735`	`6749`	`</sect2>`
`6736`	`6750`
`6737`	`6751`	`<sect2 id="libpq-ssl-clientcert">`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit33e81fd

File tree

1 file changed

1 file changed

`‎doc/src/sgml/libpq.sgml`

0 commit comments