The following bug has been logged online:
Bug reference: 6189
Logged by: Srinivas Aji
Email address: srinivas.aji@emc.com
PostgreSQL version: 9.0.4
Operating system: Linux
Description: libpq: sslmode=require verifies server certificate if
root.crt is present
Details:
From the documentation of sslmode values in
http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
it looks like libpq will not verify the server certificate when the option
sslmode=require is used, and will perform different levels of certificate
verification in the cases sslmode=verify-ca and sslmode=verify-full.
The observed behaviour is a bit different. If the ~/.postgresql/root.crt
file (or any other filename set through sslrootcert option) is found,
sslmode=require also performs the same level of certificate verification as
verify-ca. The difference between require and verify-ca is that it is an
error for the file to not exist when sslmode is verify-ca.
Thanks,
Srinivas