Merge pull request #33 from pjediny/sslmode-require-with-rootca
Fix behavior of sslmode=require with sslrootcert present
This commit is contained in:
Jack Christensen
@@ -548,7 +548,17 @@ func configTLS(settings map[string]string) ([]*tls.Config, error) {
|
|||||||
case "allow", "prefer":
|
case "allow", "prefer":
|
||||||
tlsConfig.InsecureSkipVerify = true
|
tlsConfig.InsecureSkipVerify = true
|
||||||
case "require":
|
case "require":
|
||||||
tlsConfig.InsecureSkipVerify = sslrootcert == ""
|
// According to PostgreSQL documentation, if a root CA file exists,
|
||||||
|
// the behavior of sslmode=require should be the same as that of verify-ca
|
||||||
|
//
|
||||||
|
// See https://www.postgresql.org/docs/12/libpq-ssl.html
|
||||||
|
if sslrootcert != "" {
|
||||||
|
goto nextCase
|
||||||
|
}
|
||||||
|
tlsConfig.InsecureSkipVerify = true
|
||||||
|
break
|
||||||
|
nextCase:
|
||||||
|
fallthrough
|
||||||
case "verify-ca":
|
case "verify-ca":
|
||||||
// Don't perform the default certificate verification because it
|
// Don't perform the default certificate verification because it
|
||||||
// will verify the hostname. Instead, verify the server's
|
// will verify the hostname. Instead, verify the server's
|
||||||
|
|||||||
Reference in New Issue
Block a user