sslmode=require fallback

Hi!<div class=""><br class="" /></div><div class="">I've looked at the way libpq handles TLS certificates and plaintext
fallback,and I am somewhat surprised.</div><div class=""><br class="" /></div><div class="">The default ssmode is
prefer.According to the documentation, this will make libpq use an SSL connection if possible, but will use a plain
textconnection as a fallback. The certificate will not be verified.</div><div class=""><br class="" /></div><div
class="">If,however, there is a root certificate in ~/.postgresql/root.crt, libpq will check if the server cert matches
thiscertificate, and refuse any certfificates that don't match. This means that libpq will fall back to a plain text
connection!</div><divclass=""><br class="" /></div><div class="">This is very unexpected behavior! Shouldn't libpq
preferan *unauthenticated but encrypted* connection over an *unauthenticated and unencrypted* connection?</div><div
class=""><brclass="" /></div><div class="">This behavior also causes sslmode=require to behave like sslmode=verify-ca
when~/.postgresql/root.crt exists.</div><div class=""><br class="" /></div><div class="">From my limited understanding,
itseems the way to fix this would be in fe-secure-openssl.c, to change initialize_SSL() to only read the root
certificatefile when sslmode=verify_*</div><div class=""><br class="" /></div><div class="">However, if this is the
expectedbehavior, the documentation at <a class=""
href="https://www.postgresql.org/docs/current/static/libpq-ssl.html">https://www.postgresql.org/docs/current/static/libpq-ssl.html</a> should
beupdated to make this more clear. It should be made clear that the existence of the file ~/.postgresql/root.crt
changesthe behavior of sslmode=require and sslmode=prefer.</div><div class=""><br class="" /></div><div class="">Best
regards,</div><divclass="">Jakob</div>