"Zwettler Markus (OIZ)" <markus.zwett...@zuerich.ch> writes: > However, one client also configured some client certificates + > "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 > alert unknown ca".
I'm no expert, but I think this typically means a missing or untrusted intermediate certificate, that is no chain of trust to one of the certs that your OpenSSL considers trusted. > I always thought that Postgres does only validate certificates with > "sslmode=verify-ca" and "sslmode=verify-full" => > https://www.postgresql.org/docs/current/libpq-ssl.html Those cause some additional checks to be made, but it's not like you can expect a completely broken certificate to work without them. regards, tom lane
