<term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term>
      <listitem>
       <para>
        If set to 1 (default), libpq sets the TLS extension <quote>Server Name
        Indication</quote> (<acronym>SNI</acronym>) on SSL-enabled connections.
        By setting this parameter to 0, this is turned off.
       </para>

       <para>
        The Server Name Indication can be used by SSL-aware proxies to route
        connections without having to decrypt the SSL stream.  (Note that
        unless the proxy is aware of the PostgreSQL protocol handshake this
        would require setting <literal>sslnegotiation</literal>
        to <literal>direct</literal>.)
        However, <acronym>SNI</acronym> makes the destination host name appear
        in cleartext in the network traffic, so it might be undesirable in
        some cases.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-requirepeer" xreflabel="requirepeer">
      <term><literal>requirepeer</literal></term>
      <listitem>
       <para>
        This parameter specifies the operating-system user name of the
        server, for example <literal>requirepeer=postgres</literal>.
        When making a Unix-domain socket connection, if this
        parameter is set, the client checks at the beginning of the
        connection that the server process is running under the specified
        user name; if it is not, the connection is aborted with an error.
        This parameter can be used to provide server authentication similar
        to that available with SSL certificates on TCP/IP connections.
        (Note that if the Unix-domain socket is in
        <filename>/tmp</filename> or another publicly writable location,
        any user could start a server listening there.  Use this parameter
        to ensure that you are connected to a server run by a trusted user.)
        This option is only supported on platforms for which the
        <literal>peer</literal> authentication method is implemented; see
        <xref linkend="auth-peer"/>.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version">
      <term><literal>ssl_min_protocol_version</literal></term>
      <listitem>
       <para>
        This parameter specifies the minimum SSL/TLS protocol version to allow
        for the connection. Valid values are <literal>TLSv1</literal>,
        <literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
        <literal>TLSv1.3</literal>. The supported protocols depend on the
        version of <productname>OpenSSL</productname> used, older versions
        not supporting the most modern protocol versions. If not specified,
        the default is <literal>TLSv1.2</literal>, which satisfies industry
        best practices as of this writing.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-min-protocol-version" xreflabel="min_protocol_version">
      <term><literal>min_protocol_version</literal></term>
      <listitem>
       <para>
        Specifies the minimum protocol version to allow for the connection.
        The default is to allow any version of the
        <productname>PostgreSQL</productname> protocol supported by libpq,
        which currently means <literal>3.0</literal>. If the server
        does not support at least this protocol version the connection will be
        closed.
       </para>

       <para>
        The current supported values are
        <literal>3.0</literal>, <literal>3.2</literal>,
        and <literal>latest</literal>. The <literal>latest</literal> value is
        equivalent to the latest protocol version supported by the libpq
        version being used, which is currently <literal>3.2</literal>.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="libpq-connect-max-protocol-version" xreflabel="max_protocol_version">