Hello Jim, > Hi Jelte, thanks for the message. You're right, an invalid cert path > does solve the issue - I even use it for tests. Although it solves the > authentication issue it still looks in my eyes like a non intuitive > workaround/hack. Perhaps a new sslmode isn't the right place for this > "feature"? Thanks again for the suggestion!
I do not think it is worth it to change the current behavior of PostgreSQL in that sense. PostgreSQL looks for the cert and key under `~/.postgresql` as a facility. These files do not exist by default, so if PostgreSQL finds something in there it assumes you want to use it. I also think it is correct in the sense of choosing the certificate over a password based authentication when it finds a certificate as the cert based would provide you with stronger checks. I believe that using libpq services would be a better approach if you want to connect to several PostgreSQL clusters from the very same source machine. That way you would specify whatever is specific to each target cluster in a centralized configuration file and just reference each target cluster by its service name in the connection string. It would require that you move the SSL cert and key from `~/.postgresql` to somewhere else and specify `sslcert` and `sslkey` in the expected service in the `~/.pg_service.conf` file. More info about that can be found at: https://www.postgresql.org/docs/current/libpq-pgservice.html Best regards, Israel. >