python-postgres · kaazoo · May 3, 2024 · May 3, 2024
diff --git a/postgresql/documentation/driver.rst b/postgresql/documentation/driver.rst
@@ -282,6 +282,8 @@ interfaces:
  ``sslrootcrlfile``
   Revocation list file path. [Currently not checked.]
 
+ ``sslnoverify``
+  Optionally disable certificate verification.
 
 Connections
 ===========

diff --git a/postgresql/driver/pq3.py b/postgresql/driver/pq3.py
@@ -2796,11 +2796,13 @@ def _security(self, parameters):
 		self.sslcrtfile = parameters.get('sslcrtfile') or None
 		self.sslrootcrtfile = parameters.get('sslrootcrtfile') or None
 		self.sslrootcrlfile = parameters.get('sslrootcrlfile') or None
+		self.sslnoverify = parameters.get('sslnoverify') or None
 
 		self._socket_secure = {
 			'keyfile': self.sslkeyfile,
 			'certfile': self.sslcrtfile,
 			'ca_certs': self.sslrootcrtfile,
+			'noverify': self.sslnoverify,
 		}
 
 		if self.sslrootcrlfile is not None:

diff --git a/postgresql/python/socket.py b/postgresql/python/socket.py
@@ -51,10 +51,13 @@ def fatal_exception_message(typ, err) -> (str, None):
 	@property
 	def _security_context(self):
 		if self._security_context_ii is None:
-			from ssl import SSLContext, PROTOCOL_TLS_CLIENT
+			from ssl import SSLContext, PROTOCOL_TLS_CLIENT, CERT_NONE
 			ctx = self._security_context_ii = SSLContext(PROTOCOL_TLS_CLIENT)
 			ctx.check_hostname = False
 
+			if self.socket_secure.get('noverify') is not None:
+				ctx.verify_mode = CERT_NONE
+
 			cf = self.socket_secure.get('certfile')
 			kf = self.socket_secure.get('keyfile')
 			if cf is not None:
@@ -63,6 +66,8 @@ def _security_context(self):
 			ca = self.socket_secure.get('ca_certs')
 			if ca is not None:
 				self._security_context_ii.load_verify_locations(ca)
+			else:
+				self._security_context_ii.load_default_certs()
 
 		return self._security_context_ii