The cold standby is able to do SSL connections to the primary, but currently only using on-the-fly generated certificates. This means that data is transferred over an encrypted connection but there is no protection against a man in the middle yet.
With this issue we want to:
- make server and client certificates configurable
- optionally validate the client certificate
- optionally only allow matching subjects in client and server certificates
This has been fixed in trunk and 1.22 branches, need to backport it to 1.8.