Postgres handler supports sslrootcert and sslmode up to verify-ca

[jonahx]

A.C.

• handler credentials accepts sslmode and sslrootcert
• [default] When a connection is made to a server:
  • FAIL, if the server does not support TLS
  • DO NOT VERIFY, if no root CA is present
  • VERIFY the server certificate (same as verify-ca), if a root CA file is present
• When a connection is made to a server:
  • FAIL, if client requires TLS and server does not support it
  • DO NOT USE TLS, if sslmode=disable
  • ONLY USE TLS, if sslmode=prefer and server supports TLS
• test cases exist for each of the scenarios above

Checklist

The default case is handled by previous stories. We just need to add tests for
verifying the CA cert and for the lower options.

• fails if root CA present and doesn't match
• succeeds if root CA present and does match
• fails if TLS required but server doesn't support it
• succeeds without TLS if sslmode=disable
• if ssl mode is prefer, succeeds and uses TLS when server supports it
• if ssl mode is prefer, succeeds without TLS when server doesn't support it
• docs are updated again to reflect support