no way to set rejectUnauthorized from pg-connection-string

Hi everyone, I have a requirement to use verify-ca - with the AWS RDS proxy service the hostname is invalid and you can only check the CA. The OS already has the relevant AWS CA installed.

I’m not clear on whether doing the above (set rejectUnauthorized: false) will actually check the CA? Is there an equivalent to the native verify-ca option or do I need to specify the CA certificate to make it check just the CA?

👍 for having an sslmode argument but want to make sure it’ll actually match psql configuration exactly

My recommendation:

In general, we should adhere to the libpq connection URI documentation. Specifically, we should support the Parameter Key Words.

• introduce sslmode. For non-native mode, I do not think we can easily support allow or prefer. I also think verify-ca will not work as expected as rejectUnauthorized seems to check the host. We can document the mapping for non-native mode like this:

I do not feel great about verify-ca not setting rejectUnauthorized = true. https://github.com/brianc/node-postgres-docs/issues/79 shows that rejectUnauthorized often requires the host to be specified. This is more strict than the true meaning of verify-ca. That being said, I wonder if we should make it rejectUnauthorized = true even though the postgres documentation states that verify-ca will not check the host.

• deprecate ssl. If both ssl and sslmode are specified, sslmode will win
• if ssl is set, also set rejectUnauthorized: true. This maintains the node default but makes it more obvious as to what is going on