"Zwettler Markus (OIZ)" <Markus.Zwettler@xxxxxxxxxx> writes: > However, one client also configured some client certificates + "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 alert unknown ca". I'm no expert, but I think this typically means a missing or untrusted intermediate certificate, that is no chain of trust to one of the certs that your OpenSSL considers trusted. > I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" => https://www.postgresql.org/docs/current/libpq-ssl.html Those cause some additional checks to be made, but it's not like you can expect a completely broken certificate to work without them. regards, tom lane
