After updating from 1.10.6 to 1.10.7 I found that when using sslmode=verify-ca mode:

• client.ConnectionState().ServerName in this part of code has value of host parameter from db connection string
• few lines below it is used to verify leaf server cert - https://github.com/lib/pq/blob/master/ssl.go#L202 breaking verify-ca option, throwing x509: “*.<host>” certificate name does not match input

In version 1.10.6 sslVerifyCertificateAuthority function was using empty string in its place, ignoring verification of leaf certificate.

I would like to be able to use sslsni option and on same time use verify-ca option.