Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=verify-ca or
> verify-full.

I guess you meant "can't" not "can"?


> How can we make sure sslmode=prefer either checks the
> certificate and establish ssl connection or not to try setting up ssl
> connection.

That's a nonsensical configuration, you can't.


> Let me ask in another way, is it possible to block sslmode=prefer from
> any clients on the server configuration like postgresql.conf or
> pg_hba.conf or in any other place.

No. Client configuration can't be enforced on the serverside. Random
client libraries can do whatever they want.


Andres