RDS PG : able to connect without CA even if rds.force_ssl is enabled

Question

I am able to connect RDS PG without giving CA inspite of enabling rds.force_ssl in Cluster parameter group associated to my DB cluster. How is it possible? Am I missing something?

Here is the output,

$ psql 'host=database-aurora-serverless-v2.cluster-cv55oxgkbnkf.us-east-1.rds.amazonaws.com user=postgres dbname=postgres'
Password for user postgres:
psql (14.8 (Ubuntu 14.8-0ubuntu0.22.04.1), server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off)
Type "help" for help.

postgres=> SELECT * FROM pg_hba_file_rules;
 line_number |  type   |   database    | user_name  | address  | netmask |  auth_method  |  options  | error
-------------+---------+---------------+------------+----------+---------+---------------+-----------+-------
           2 | local   | {all}         | {rdsadmin} |          |         | peer          | {map=rds} |
           6 | local   | {all}         | {all}      |          |         | scram-sha-256 |           |
          12 | host    | {all}         | {rdsadmin} | samehost |         | scram-sha-256 |           |
          13 | host    | {all}         | {rdsadmin} | all      |         | reject        |           |
          14 | host    | {rdsadmin}    | {all}      | all      |         | reject        |           |
          15 | hostssl | {all}         | {all}      | all      |         | md5           |           |
          16 | host    | {replication} | {all}      | samehost |         | md5           |           |
(7 rows)

postgres=>

Accepted Answer

Hi,

I think the following [StackOverflow page](https://serverfault.com/questions/993754/force-ssl-on-aws-rds-postgres) answers your question.

> The server can force the client to use ssl to establish the connection, but it cannot force the client to verify the server's certificate. If your client is libpq based, then it will verify the certificate if and only if it can find the root certificate file (generally at ~/.postgresql/root.crt, if not specified as something else). If you specify PGSSLMODE=verify-ca or above on the client, then the client will throw an error if can't find the root cert file. If the sslmode is below that level and the client can't find the root cert file, then it will use the server's certificate to negotiate encryption, but will not use it to verify the identity of the server. So you get protection from passive eavesdropping, but not from active MITM attacks.

Answer

psql has SSL connections enabled by default.  
So to prevent SSL connections from being made, try setting an environment variable as follows.  
This would allow us to test if the connection fails if SSL connection is not used since it would be a non-SSL connection.  
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/ssl-certificate-rotation-aurora-postgresql.html#ssl-certificate-rotation-aurora-postgresql.determining-client

```
$ PGSSLMODE=disable \
  psql -h $HOST "dbname=dbname user=username"
```

RDS PG : able to connect without CA even if rds.force_ssl is enabled

Relevant content