> The problem is this: sslmode=require encrypts, but it doesn’t authenticate. It does all the hard work to make sure your communication channel is secured, while doing nothing at all to check who’s on the other end of it.

I fail to see the problem with this. For a general setup within a secure network, dinking around with CAs and certificates is more headache than necessary. You already know the server you're communicating with. The connection just needs to be encrypted.

I think it comes down to these two questions:

* If the network is secure, why do you want to encrypt?

* If the network isn't secure, why don't you want to authenticate?

Encryption without authentication generally seems like a strange combination.

Is the state of affairs getting any better in Postgres 18?