only try a <acronym>GSSAPI</acronym>-encrypted connection
           </para>
          </listitem>
         </varlistentry>
        </variablelist>
       </para>

       <para>
        <literal>gssencmode</literal> is ignored for Unix domain socket
        communication.  If <productname>PostgreSQL</productname> is compiled
        without GSSAPI support, using the <literal>require</literal> option
        will cause an error, while <literal>prefer</literal> will be accepted
        but <application>libpq</application> will not actually attempt
        a <acronym>GSSAPI</acronym>-encrypted
        connection.<indexterm><primary>GSSAPI</primary><secondary sortas="libpq">with
        libpq</secondary></indexterm>
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
      <term><literal>sslmode</literal></term>
      <listitem>
       <para>
        This option determines whether or with what priority a secure
        <acronym>SSL</acronym> TCP/IP connection will be negotiated with the
        server. There are six modes:

        <variablelist>
         <varlistentry>
          <term><literal>disable</literal></term>
          <listitem>
           <para>
            only try a non-<acronym>SSL</acronym> connection
           </para>
          </listitem>
         </varlistentry>

         <varlistentry>
          <term><literal>allow</literal></term>
          <listitem>
           <para>
            first try a non-<acronym>SSL</acronym> connection; if that
            fails, try an <acronym>SSL</acronym> connection
           </para>
          </listitem>
         </varlistentry>

         <varlistentry>
          <term><literal>prefer</literal> (default)</term>
          <listitem>
           <para>
            first try an <acronym>SSL</acronym> connection; if that fails,
            try a non-<acronym>SSL</acronym> connection
           </para>
          </listitem>
         </varlistentry>

         <varlistentry>
          <term><literal>require</literal></term>
          <listitem>
           <para>
            only try an <acronym>SSL</acronym> connection. If a root CA
            file is present, verify the certificate in the same way as
            if <literal>verify-ca</literal> was specified
           </para>
          </listitem>
         </varlistentry>

         <varlistentry>
          <term><literal>verify-ca</literal></term>
          <listitem>
           <para>
            only try an <acronym>SSL</acronym> connection, and verify that
            the server certificate is issued by a trusted
            certificate authority (<acronym>CA</acronym>)
           </para>
          </listitem>
         </varlistentry>

         <varlistentry>
          <term><literal>verify-full</literal></term>
          <listitem>
           <para>
            only try an <acronym>SSL</acronym> connection, verify that the
            server certificate is issued by a
            trusted <acronym>CA</acronym> and that the requested server host name
            matches that in the certificate
           </para>
          </listitem>
         </varlistentry>
        </variablelist>

        See <xref linkend="libpq-ssl"/> for a detailed description of how
        these options work.
       </para>

       <para>
        <literal>sslmode</literal> is ignored for Unix domain socket
        communication.
        If <productname>PostgreSQL</productname> is compiled without SSL support,
        using options <literal>require</literal>, <literal>verify-ca</literal>, or
        <literal>verify-full</literal> will cause an error, while
        options <literal>allow</literal> and <literal>prefer</literal> will be
        accepted but <application>libpq</application> will not actually attempt
        an <acronym>SSL</acronym>
        connection.<indexterm><primary>SSL</primary><secondary
        sortas="libpq">with libpq</secondary></indexterm>
       </para>