The following bug has been logged on the website:
Bug reference: 14395
Logged by: Balaji Chithambaram
Email address: balaji(dot)chithambaram(at)capitalone(dot)com
PostgreSQL version: 9.5.4
Operating system: Red Hat Enterprise Linux Server release 6.8
Description:
When we use default client method sslmode=prefer expected behaviour is to
try ssl connection by validating the certificate and then if it doesn't go
for non-SSL connection. But sslmode=prefer goes to SSL connection without
checking certificate provided.
This gives an option if any servers ip configured for ssl connection can be
spoofed by with same ip, though we enforced ssl with certificate, it can
connect with out actual certificate and defeats the purpose.