SSL & Cloud Database Policies
Cloud-hosted PostgreSQL database instances (such as Supabase, Neon, and AWS RDS) reject unencrypted traffic by default. This page documents Bollard's automated SSL handshake policy, trust fallback mechanism, and configuration mappings.
1. Automatic SSL Enforcement
Rather than requiring developers to manually query and configure parameters like sslmode=require, Bollard inspects the target database connection string. If the host matches a known serverless cloud database provider domain, it enforces a secure context automatically.
| Cloud Provider | Host Domain Pattern | Default Mode | Bollard Automated Action |
|---|---|---|---|
| Supabase | *.supabase.co, *.supabase.red | require | Automatically appends sslmode=require for ports 5432 & 6543. |
| Neon | *.neon.tech | require | Enforces sslmode=require and auto-negotiates TLS protocol version. |
| Render | *.render.com | require | Appends sslmode=require to prevent handshake timeouts. |
| Railway | *.railway.app | require | Ensures secure handshake parameters on connection initialization. |
| AWS RDS | *.rds.amazonaws.com | verify-full (optional) | Initiates secure TCP context, falls back safely to verify if requested. |
2. Relaxed CA Trust Fallback
When connecting through corporate firewalls, local development proxies, or custom database configurations, you may encounter SSL certificate validation errors (such as self-signed certificate in certificate chain or unable to get local issuer certificate).
Instead of crashing the active database adapter or disconnecting the agent daemon, Bollard catches SSL validation errors and securely renegotiates using a relaxed trust policy.
How it works: If a standard SSL handshake fails due to local trust chain validation (missing internal root CA), Bollard retries the connection after configuring the client driver to trust self-signed certs. This guarantees stable connectivity inside containerized dev systems without compromising the transport-layer encryption.
3. Manual SSL Overrides
If your security policy requires verifying specific certificate authorities, you can append SSL settings directly to your connection URI. Bollard respects all driver-native parameters:
- Force strict verification:
postgresql://user:pass@host/db?sslmode=verify-full&sslrootcert=/path/to/server-ca.pem - Disable SSL entirely (Local development only):
postgresql://user:pass@host/db?sslmode=disable