From 2ca0e8f9a0f9863555a26e984cde15efff9ef8f8 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Fri, 23 Sep 2016 10:17:51 -0400
Subject: Updating golang dependancies (#4075)

---
 vendor/github.com/lib/pq/conn.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'vendor/github.com/lib/pq/conn.go')

diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go
index 336c89449..8e1aee9f0 100644
--- a/vendor/github.com/lib/pq/conn.go
+++ b/vendor/github.com/lib/pq/conn.go
@@ -968,8 +968,23 @@ func (cn *conn) ssl(o values) {
 	verifyCaOnly := false
 	tlsConf := tls.Config{}
 	switch mode := o.Get("sslmode"); mode {
-	case "require", "":
+	// "require" is the default.
+	case "", "require":
+		// We must skip TLS's own verification since it requires full
+		// verification since Go 1.3.
 		tlsConf.InsecureSkipVerify = true
+
+		// From http://www.postgresql.org/docs/current/static/libpq-ssl.html:
+		// Note: For backwards compatibility with earlier versions of PostgreSQL, if a
+		// root CA file exists, the behavior of sslmode=require will be the same as
+		// that of verify-ca, meaning the server certificate is validated against the
+		// CA. Relying on this behavior is discouraged, and applications that need
+		// certificate validation should always use verify-ca or verify-full.
+		if _, err := os.Stat(o.Get("sslrootcert")); err == nil {
+			verifyCaOnly = true
+		} else {
+			o.Set("sslrootcert", "")
+		}
 	case "verify-ca":
 		// We must skip TLS's own verification since it requires full
 		// verification since Go 1.3.
-- 
cgit v1.2.3-1-g7c22