PostgreSQL client should support direct SSL connections to Postgres 17+ servers

[danielfrankcom]

I have found these related issues/pull requests

Mentioned in #3264, although that issue is not directly relevant.

Description

Overview

PostgreSQL 17.0 introduced a new connection parameter called sslnegotiation that allows clients to establish TLS connections directly without the traditional PostgreSQL-specific SSL negotiation preamble. This feature offers performance benefits and better compatibility with certain proxy configurations.

• PostgreSQL 17.0 Release Notes • libpq Connection Parameters Documentation

Current Limitation

Currently, SQLx only supports the traditional PostgreSQL SSL negotiation method, which requires an extra round-trip and protocol-specific messages. This can cause issues with certain proxies (like mitmproxy and some corporate proxies) that don't understand the PostgreSQL protocol.

Prefered solution

Proposed Solution

Add support for the sslnegotiation connection parameter in SQLx's PostgreSQL connector, allowing users to choose between: • postgres (default): Traditional negotiation for backward compatibility • direct: New direct TLS negotiation for PostgreSQL 17+ servers

Benefits

1. Performance improvement: Fewer messages required to establish a secure connection
2. Better proxy compatibility: Works with proxies like mitmproxy that don't understand PostgreSQL protocol
3. Alignment with PostgreSQL ecosystem: libpq and other PostgreSQL drivers already support this feature

Is this a breaking change? Why or why not?

This should not be a breaking change, given libpq and other drivers support it already. The default sslnegotiation value results in the same connection procedure which was used previously. Use of the sslnegotiation=direct value would be opt-in only.