*** postgresql-8.4-8.4.3/src/backend/libpq/be-secure.c	2010-02-25 21:26:26.000000000 +0800
--- postgresql-8.4-8.4.3-patched/src/backend/libpq/be-secure.c	2010-05-22 18:25:50.000000000 +0800
***************
*** 819,824 ****
--- 822,839 ----
  	else
  	{
  		/*
+ 		 * Despite having already loaded the root certificate list and set it
+ 		 * as trusted to identify peers, OpenSSL won't send that list of certs
+ 		 * to a client when we issue a CertificateRequest. Some clients need
+ 		 * to know what root(s) we trust so they can select an appropriate 
+ 		 * certificate to send us.
+ 		 *
+ 		 * Load the list of roots and tell OpenSSL to send it to the
+ 		 * client during negotiation.
+ 		 */ 
+ 		SSL_CTX_set_client_CA_list( SSL_context, SSL_load_client_CA_file(ROOT_CERT_FILE) );
+ 
+ 		/*
  		 * Check the Certificate Revocation List (CRL) if file exists.
  		 * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,
  		 * 00.html