I wrote:
> [ a bunch of stuff ]
After looking into this morning's patches digest, I see that half of
this already occurred to you :-).
I'd still suggest extending the client to fall back to non-SSL if the
server rejects the connection (unless it is told by the application
that it must make an SSL connection). Then there's no compatibility
problem at all, even for mix-and-match SSL-enabled and not-SSL-enabled
clients and servers.
regards, tom lane