From 3e17a0020b0a896ecfa4aa06b140bbb21b23eb83 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sat, 24 Sep 2011 14:29:37 +0200
Subject: [PATCH] Note that sslmode=require verifies the CA if root cert is
 present

This mode still exists for backwards compatibility, making
sslmode=require the same as sslmode=verify-ca when the file is present,
but not causing an error when it isn't.

Per bug 6189, reported by Srinivas Aji
---
 doc/src/sgml/libpq.sgml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 7fc8a5775b..702ad888f5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -304,7 +304,9 @@
         
              <row>
               <entry><literal>require</></entry>
-              <entry>only try an <acronym>SSL</> connection</entry>
+              <entry>only try an <acronym>SSL</> connection. If a root CA
+               file is present, verify the certificate in the same way as
+               if <literal>verify-ca</literal> was specified</entry>
              </row>
 
              <row>
@@ -6197,6 +6199,18 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
    by the connection parameters <literal>sslrootcert</> and <literal>sslcrl</>
    or the environment variables <envar>PGSSLROOTCERT</> and <envar>PGSSLCRL</>.
   </para>
+
+  <note>
+   <para>
+    For backwards compatibility with earlier versions of PostgreSQL, if a
+    root CA file exists, the behavior of
+    <literal>sslmode</literal>=<literal>require</literal> will be the same
+    as that of <literal>verify-ca</literal>, meaning the sever certificate
+    is validated against the CA. Relying on this behavior is discouraged,
+    and applications that need certificate validation should always use
+    <literal>validate-ca</literal> or <literal>validate-full</literal>.
+   </para>
+  </note>
  </sect2>
 
  <sect2 id="libpq-ssl-clientcert">
-- 
2.30.2