From 30fa7cc37fcc1e4aacd4a1386f4cac7f52eae374 Mon Sep 17 00:00:00 2001
From: Johan Brandhorst <johan.brandhorst@gmail.com>
Date: Fri, 8 Sep 2017 20:44:10 +0100
Subject: [PATCH] Skip certificate verification for sslmode "require"

This more appropriately aligns the behaviour of the library with
that advertised by the postgres documentation.

According to the table on the official documentation page
https://www.postgresql.org/docs/current/static/libpq-ssl.html,
the "require" mode should be used when:

"I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want."

This maps reasonably well to a TLS config that skips certificate verification.
---
 conn.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/conn.go b/conn.go
index f549e03e..10ba1aa9 100644
--- a/conn.go
+++ b/conn.go
@@ -711,7 +711,9 @@ func configSSL(sslmode string, cc *ConnConfig) error {
 		cc.TLSConfig = &tls.Config{InsecureSkipVerify: true}
 		cc.UseFallbackTLS = true
 		cc.FallbackTLSConfig = nil
-	case "require", "verify-ca", "verify-full":
+	case "require":
+		cc.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+	case "verify-ca", "verify-full":
 		cc.TLSConfig = &tls.Config{
 			ServerName: cc.Host,
 		}