"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> However, one client also configured some client certificates + "sslmode=prefer" which resulted in "could not accept
sslconnection tlsv1 alert unknown ca".
I'm no expert, but I think this typically means a missing or untrusted
intermediate certificate, that is no chain of trust to one of the
certs that your OpenSSL considers trusted.
> I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" =>
https://www.postgresql.org/docs/current/libpq-ssl.html
Those cause some additional checks to be made, but it's not like
you can expect a completely broken certificate to work without them.
regards, tom lane
