On 24.04.25 12:53, Christoph Berg wrote:
Now you can say `psql -h db.example.com -p 5433 dbfoo`, but for specifying the sslmode, you have to rewrite at least the last argument to use connection string syntax, `psql "dbname=dbfoo sslmode=verify-full`. This needs be be less cumbersome. (And the names of the options make me want to stay away from them, require/verify-ca/verify-full/verify-confusing. Your sslmode=secure idea is really good.)
I'm generally in favor of making sslmode=verify-full the effective default somehow.
Another detail to think about is how this affects psql -h localhost. In principle, this should require full SSL, but you're probably not going to have certificates that allow "localhost". And connections to localhost are the default on Windows. We could also switch the Windows default to Unix-domain sockets. But there are probably still other reasons why connections to TCP/IP localhost are made. Some things to think about.
