Note that sslmode=require verifies the CA if root cert is present

This mode still exists for backwards compatibility, making
sslmode=require the same as sslmode=verify-ca when the file is present,
but not causing an error when it isn't.

Per bug 6189, reported by Srinivas Aji

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index cff2e2a0212cfe66bb0c99c66804a3654195fa00..e9c24ad543f1b6e8032e30900f96b9d921075932 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -391,7 +391,9 @@ PGconn *PQconnectdbParams(const char **keywords, const char **values, int expand
 
              
               require
-              only try an SSL connection
+              only try an SSL connection. If a root CA
+               file is present, verify the certificate in the same way as
+               if verify-ca was specified
              
 
              
@@ -6512,6 +6514,18 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
    the connection parameters sslrootcert and sslcrl
    or the environment variables PGSSLROOTCERT and PGSSLCRL.
   
+
+  
+   
+    For backwards compatibility with earlier versions of PostgreSQL, if a
+    root CA file exists, the behavior of
+    sslmode=require will be the same
+    as that of verify-ca, meaning the sever certificate
+    is validated against the CA. Relying on this behavior is discouraged,
+    and applications that need certificate validation should always use
+    validate-ca or validate-full.
+   
+