rejectUnauthorized: false is included in the documentation for connections when TLS self-signed client certs are in use

[PhilipAtCisco]

The example in https://node-postgres.com/features/ssl#self-signed-cert currently documents setting "rejectUnauthorized: false" option with a custom CA (and also the example below it for connectionString)

const config = {
  database: 'database-name',
  host: 'host-or-ip',
  // this object will be passed to the TLSSocket constructor
  ssl: {
    rejectUnauthorized: false,
    ca: fs.readFileSync('/path/to/server-certificates/root.crt').toString(),
    key: fs.readFileSync('/path/to/client-key/postgresql.key').toString(),
    cert: fs.readFileSync('/path/to/client-certificates/postgresql.crt').toString(),
  },
}

Is this correct when a self signed CA is in use?

It seems like an incorrect TLS client connection option to use as it would disable CA validation and should be set to 'true', unless I'm missing something?
https://nodejs.org/api/tls.html#tlsconnectoptions-callback

[brianc]

If you set rejectUnauthorized: false it does indeed disable CA validation. If you have a custom CA that works w/ your cert then you can turn on CA validation by setting rejectUnauthorized: false. Does that help clarify? 😄

[PhilipAtCisco]

If you set rejectUnauthorized: false it does indeed disable CA validation. If you have a custom CA that works w/ your cert then you can turn on CA validation by setting rejectUnauthorized: false. Does that help clarify? 😄

@brianc Yes, assuming you meant 'true' in your second sentence, I think? Correct me if I'm wrong but I believe what you're saying is if you're pinning the leaf certificate in the client, and you don't have a CA, then you would need to set rejectUnauthorized to false, because otherwise the default 'ca' list would be used? I haven't verified this, but it seems plausible based on the documentation.

But both examples on that webpage include a 'ca' list, so I think it might be better to update the examples to include rejectUnauthorized: true in both cases and maybe include a comment?

[brianc]

Thanks Charmander!

…

On Wed, Feb 11, 2026 at 7:56 PM Charmander ***@***.***> wrote: Closed #3600 <#3600> as completed via 0b64e4d <0b64e4d> . — Reply to this email directly, view it on GitHub <#3600 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAMHIIOE2JDQJCT5BGZSF34LPMT3AVCNFSM6AAAAACUY2Z6E6VHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMRSG4ZDCMZXHE2TINQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[PhilipAtCisco]

@brianc @charmander Thanks for changing the docs