On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=verify-ca or
> verify-full.
I guess you meant "can't" not "can"?
> How can we make sure sslmode=prefer either checks the
> certificate and establish ssl connection or not to try setting up ssl
> connection.
That's a nonsensical configuration, you can't.
> Let me ask in another way, is it possible to block sslmode=prefer from
> any clients on the server configuration like postgresql.conf or
> pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random
client libraries can do whatever they want.
Andres