Martijn van Oosterhout <kleptog@svana.org> writes:
> It is possible to continue communicating after SSL negotiation failure.
> If SSL_accept/connect return 0, that means the negotiation failed
> cleanly and in theory libpq could continue in non-SSL mode.
We'd have to change the backend too, though, because in existing
releases it likewise will drop out on SSL negotiation failure.
> I think long term this would be the nicest solution (no double
> connections) but it's probably more complicated then looping around
> again after SSL failure.
I don't think it's that important. If the backend is configured with
ssl = off then we already fall through without using an extra connection
cycle. The double connection only occurs if both sides think they
should use SSL but something goes wrong ... which is probably a
situation that needs user attention anyway.
regards, tom lane