Add canonical PostgreSQL client parameter sslmode

amotl · amotl · commit 10f275b9b8fc · 2025-02-17T12:30:06.000+01:00
This implements `sslmode=prefer` to connect to SSL-enabled CrateDB
instances without verifying the host name.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,6 +1,11 @@
 # Changelog
 
 ## Unreleased
+- Added canonical [PostgreSQL client parameter `sslmode`], implementing
+  `sslmode=prefer` to connect to SSL-enabled CrateDB instances without
+  verifying the host name.
+
+[PostgreSQL client parameter `sslmode`]: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
 
 ## 2025/01/30 0.41.0
 - Dependencies: Updated to `crate-2.0.0`, which uses `orjson` for JSON marshalling
diff --git a/src/sqlalchemy_cratedb/dialect.py b/src/sqlalchemy_cratedb/dialect.py
@@ -228,8 +228,12 @@ def connect(self, host=None, port=None, *args, **kwargs):
         servers = to_list(server)
         if servers:
             use_ssl = asbool(kwargs.pop("ssl", False))
-            if use_ssl:
+            # TODO: Switch to the canonical default `sslmode=prefer` later.
+            sslmode = kwargs.pop("sslmode", "disable")
+            if use_ssl or sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:
                 servers = ["https://" + server for server in servers]
+            if sslmode == "require":
+                kwargs["verify_ssl_cert"] = False
             return self.dbapi.connect(servers=servers, **kwargs)
         return self.dbapi.connect(**kwargs)
 
