Okapi 2.36.0 is not able to talk to a PostgreSQL server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -> use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.
All vert.x PostgreSQL clients have SSL/TLS disabled by default:
It checks the server certificate (sslmode=verify-full) to prevent man-in-the-middle attacks (FOLIO-2412): https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
Enable TLSv1.3 only. If there is a need to support older protocol versions (that are not state of the art and violate GDPR) we can add them later.