From 84aee0ab4443115da0c34114c300a50a410e5402 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Jedin=C3=BD?= <petr.jediny@gmail.com>
Date: Wed, 8 Apr 2020 00:08:53 +0200
Subject: [PATCH] Fix behavior of sslmode=require with sslrootcert present

According to PostgreSQL documentation the behavior should be
the same as that of verify-ca sslmode

https://www.postgresql.org/docs/12/libpq-ssl.html
---
 config.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/config.go b/config.go
index 70e6073a..06184b02 100644
--- a/config.go
+++ b/config.go
@@ -548,7 +548,17 @@ func configTLS(settings map[string]string) ([]*tls.Config, error) {
 	case "allow", "prefer":
 		tlsConfig.InsecureSkipVerify = true
 	case "require":
-		tlsConfig.InsecureSkipVerify = sslrootcert == ""
+		// According to PostgreSQL documentation, if a root CA file exists,
+		// the behavior of sslmode=require should be the same as that of verify-ca
+		//
+		// See https://www.postgresql.org/docs/12/libpq-ssl.html
+		if sslrootcert != "" {
+			goto nextCase
+		}
+		tlsConfig.InsecureSkipVerify = true
+		break
+	nextCase:
+		fallthrough
 	case "verify-ca":
 		// Don't perform the default certificate verification because it
 		// will verify the hostname. Instead, verify the server's