gopkg/pgx
2
0
Fork 0
Code Activity

Fix behavior of sslmode=require with sslrootcert present

Browse Source 
According to PostgreSQL documentation the behavior should be
the same as that of verify-ca sslmode

https://www.postgresql.org/docs/12/libpq-ssl.html
This commit is contained in:
Petr Jediný
2020-04-08 00:08:53 +02:00
parent e4f3224f4c
commit 84aee0ab44
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config.go
+11 -1
View File
@@ -548,7 +548,17 @@ func configTLS(settings map[string]string) ([]*tls.Config, error) {
case "allow", "prefer":
tlsConfig.InsecureSkipVerify = true
case "require":
tlsConfig.InsecureSkipVerify = sslrootcert == ""
// According to PostgreSQL documentation, if a root CA file exists,
// the behavior of sslmode=require should be the same as that of verify-ca
//
// See https://www.postgresql.org/docs/12/libpq-ssl.html
if sslrootcert != "" {
goto nextCase
}
tlsConfig.InsecureSkipVerify = true
break
nextCase:
fallthrough
case "verify-ca":
// Don't perform the default certificate verification because it
// will verify the hostname. Instead, verify the server's