This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?
local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust host all all 10.0.0.0/8 md5 host all all 172.16.0.0/12 md5 hostssl all all all md5 clientcert=verify-ca
Also when I require SSL on the client it allows SSL connections without a CA signed cert which I thought clientcert=verify-ca in this pg_hba should require.