I created a service that runs a PostgreSQL DB. In the description of the DB I see that SSL is required to connect to the DB:
SSL mode require
However when I connect to the DB from my app I discovered that the connection works also without SSL certificate. This is quite worrisome as I want to be sure that the communication to the DB is encrypted but … it seems that it is not …
Is there a way to enforce SSL on the service side ?
Additional info: I do not connect to the default DB but to a new DB that I created and I connect through a connection pool (in case this makes any difference)
Hey Valerian,
Thanks for the question - welcome to the community 
To be clear, the traffic – when using Aiven’s PostgreSQL services – is always encrypted.
The difference is whether or not a certificate is required and verified.
Some general information on our certificate requirements can be found here: TLS/SSL certificates | Aiven docs
PostgreSQL SSL Modes: PostgreSQL: Documentation: 16: 34.1. Database Connection Control Functions
When the sslmode is set to ‘require’, the the server and client effectively agree on an encryption scheme, but the server is not verified. From a security perspective, this could be worrisome as service names/endpoints could be spoofed, and there’s no guarantee the endpoint you’re talking to is the one you want. The data will be encrypted while in-transit, but the server may not be legitimate.
When the sslmode is set to verify-ca (or verify-full) a certificate file must be provided in some way/shape/form, and this certificate is verified. Data to-and-from the server is encrypted and the endpoint has been verified.
In case it’s helpful, I tested these settings using a Python script as described in this document: Connect with Python | Aiven docs
I downloaded the certificate for my project in my project’s service page, and changed “?sslmode=require” to “?sslmode=verify-ca”.
Hope this all helps!
Kevin