summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/lib/pq/conn.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/lib/pq/conn.go')
-rw-r--r--vendor/github.com/lib/pq/conn.go17
1 files changed, 16 insertions, 1 deletions
diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go
index 336c89449..8e1aee9f0 100644
--- a/vendor/github.com/lib/pq/conn.go
+++ b/vendor/github.com/lib/pq/conn.go
@@ -968,8 +968,23 @@ func (cn *conn) ssl(o values) {
verifyCaOnly := false
tlsConf := tls.Config{}
switch mode := o.Get("sslmode"); mode {
- case "require", "":
+ // "require" is the default.
+ case "", "require":
+ // We must skip TLS's own verification since it requires full
+ // verification since Go 1.3.
tlsConf.InsecureSkipVerify = true
+
+ // From http://www.postgresql.org/docs/current/static/libpq-ssl.html:
+ // Note: For backwards compatibility with earlier versions of PostgreSQL, if a
+ // root CA file exists, the behavior of sslmode=require will be the same as
+ // that of verify-ca, meaning the server certificate is validated against the
+ // CA. Relying on this behavior is discouraged, and applications that need
+ // certificate validation should always use verify-ca or verify-full.
+ if _, err := os.Stat(o.Get("sslrootcert")); err == nil {
+ verifyCaOnly = true
+ } else {
+ o.Set("sslrootcert", "")
+ }
case "verify-ca":
// We must skip TLS's own verification since it requires full
// verification since Go 1.3.
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-07-04 01:49:39 +0000