[agwa]

tajen advocated a CA-issued certificate along with the "require" option, which makes sense under no common scenario. If your network really is secure, you don't need TLS at all, so you can use "disable" and not bother with a cert. If your network isn't secure, then you need "verify-full" to actually have security.

[merb]

actually i just wanted to point that out. actually on aws you actually connect with ssl when you have an rds instance and using psql on a ec2 instance. however it will run with "prefer". which isn't really needed there.