Problem

When connecting to managed PostgreSQL services like AWS RDS, the only supported SSL modes are disable and require. Using sslmode=require sets rejectUnauthorized: false in node-postgres, which encrypts traffic but does not verify the server certificate. Any other sslmode value (e.g. verify-ca) causes a "No connector found for DSN" error.

For production databases, we need to verify the server certificate against a known CA bundle (e.g. the AWS RDS CA bundle) to prevent MITM attacks.

Proposed solution

Support sslmode=verify-ca and sslmode=verify-full in the PostgreSQL DSN parser, along with the standard libpq sslrootcert parameter:

postgres://user:pass@host:5432/db?sslmode=verify-ca&sslrootcert=/path/to/ca-bundle.pem

In src/connectors/postgres/index.ts, the sslmode handling could be extended to:

if (value === "disable") {
  config.ssl = false;
} else if (value === "require") {
  config.ssl = { rejectUnauthorized: false };
} else if (value === "verify-ca" || value === "verify-full") {
  const sslrootcert = url.searchParams.get("sslrootcert");
  config.ssl = {
    rejectUnauthorized: true,
    ...(sslrootcert && { ca: fs.readFileSync(sslrootcert, "utf-8") }),
  };
}

This would align with PostgreSQL's standard sslmode values and enable secure connections to managed databases that use custom CA certificates.

Use Case

We run DBHub against multiple AWS RDS PostgreSQL instances via TOML config. We need certificate verification to comply with our security requirements. Currently we're stuck with sslmode=require which encrypts but doesn't authenticate the server.

I'm happy to open a PR for this if you're open to the contribution.