diff options
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index cff2e2a0212..e9c24ad543f 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -391,7 +391,9 @@ PGconn *PQconnectdbParams(const char **keywords, const char **values, int expand <row> <entry><literal>require</></entry> - <entry>only try an <acronym>SSL</> connection</entry> + <entry>only try an <acronym>SSL</> connection. If a root CA + file is present, verify the certificate in the same way as + if <literal>verify-ca</literal> was specified</entry> </row> <row> @@ -6512,6 +6514,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) the connection parameters <literal>sslrootcert</> and <literal>sslcrl</> or the environment variables <envar>PGSSLROOTCERT</> and <envar>PGSSLCRL</>. </para> + + <note> + <para> + For backwards compatibility with earlier versions of PostgreSQL, if a + root CA file exists, the behavior of + <literal>sslmode</literal>=<literal>require</literal> will be the same + as that of <literal>verify-ca</literal>, meaning the sever certificate + is validated against the CA. Relying on this behavior is discouraged, + and applications that need certificate validation should always use + <literal>validate-ca</literal> or <literal>validate-full</literal>. + </para> + </note> </sect2> <sect2 id="libpq-ssl-clientcert"> |