require verify-ca to specify sslrootcert when sslmode is libpq compat

hjr3 · hjr3 · commit f58c6ff72788 · 2025-04-09T06:26:22.000-04:00
diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js
@@ -108,6 +108,9 @@ function parse(str) {
         break
       }
       case 'verify-ca': {
+        if (!config.ssl.ca) {
+          throw new Error('sslmode=verify-ca requires specifying a CA with sslrootcert')
+        }
         config.ssl.checkServerIdentity = function () {}
         break
       }
diff --git a/packages/pg-connection-string/test/parse.js b/packages/pg-connection-string/test/parse.js
@@ -297,6 +297,13 @@ describe('parse', function () {
 
   it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
     var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
+    expect(function () {
+      parse(connectionString)
+    }).to.throw()
+  })
+
+  it('configuration parameter sslmode=verify-ca and sslrootcert owith libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq&sslrootcert=' + __dirname + '/example.ca'
     var subject = parse(connectionString)
     subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
     expect(subject.ssl.checkServerIdentity()).be.undefined

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,9 @@ function parse(str) {`
`108`	`108`	`break`
`109`	`109`	`}`
`110`	`110`	`case 'verify-ca': {`
	`111`	`+ if (!config.ssl.ca) {`
	`112`	`+ throw new Error('sslmode=verify-ca requires specifying a CA with sslrootcert')`
	`113`	`+ }`
`111`	`114`	`config.ssl.checkServerIdentity = function () {}`
`112`	`115`	`break`
`113`	`116`	`}`