diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 3998b1781b..13e3e63768 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -8342,16 +8342,31 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
In verify-full mode, the host name is matched against the
- certificate's Subject Alternative Name attribute(s), or against the
- Common Name attribute if no Subject Alternative Name of type dNSName is
+ certificate's Subject Alternative Name attribute(s) (SAN), or against the
+ Common Name attribute if no SAN of type dNSName is
present. If the certificate's name attribute starts with an asterisk
(*), the asterisk will be treated as
a wildcard, which will match all characters except a dot
(.). This means the certificate will not match subdomains.
If the connection is made using an IP address instead of a host name, the
- IP address will be matched (without doing any DNS lookups).
+ IP address will be matched (without doing any DNS lookups) against SANs of
+ type iPAddress or dNSName. If no
+ ipAddress SAN is present and no
+ matching dNSName SAN is present, the host IP address is
+ matched against the Common Name attribute.
+
+
+ For backward compatibility with earlier versions of PostgreSQL, the host
+ IP address is verified in a manner different
+ from RFC 6125.
+ The host IP address is always matched against dNSName
+ SANs as well as iPAdress SANs, and can be matched
+ against the Common Name attribute for a certain condition.
+
+
+
To allow server certificate verification, one or more root certificates
must be placed in the file ~/.postgresql/root.crt