making a secure db connection on top of already existing SSL for the site

[Vlad]

Here is a quote from the web2py docs: 

"Making a secure connection

Sometimes it is necessary (and advised) to connect to your database using secure connection, especially if your database is not on the same server as your application. In this case you need to pass additional parameters to the database driver. You should refer to database driver documentation for details.

For PostgreSQL with psycopg2 it should look like this:

DAL('postgres://user_name:user_password@server_addr/db_name',

    driver_args={'sslmode': 'require', 'sslrootcert': 'root.crt',

                 'sslcert': 'postgresql.crt', 'sslkey': 'postgresql.key'})"

<<END QUOTE>>

I am wondering if this feature is still necessary for a secure db connection in case I anyway use SSL for the site. 

Does this secure postgres feature need to be used on top of existing SSL connection? Or it's rather for non-ssl site to make a db connection secure? 

[Massimo Di Pierro]

Yes if the database is not on the same physical machine or if the machine is not exclusively under your control.

The connection with the clients is different from the connection of the server with the database.