Some additional info on top of @janes answer:
https://www.postgresql.org/docs/current/protocol-flow.html
To initiate an SSL-encrypted connection, the frontend initially sendsan SSLRequest message rather than a StartupMessage. The server thenresponds with a single byte containing S or N, indicating that it iswilling or unwilling to perform SSL, respectively. The frontend mightclose the connection at this point if it is dissatisfied with theresponse. To continue after S, perform an SSL startup handshake (notdescribed here, part of the SSL specification) with the server. Ifthis is successful, continue with sending the usual StartupMessage. Inthis case the StartupMessage and all subsequent data will beSSL-encrypted. To continue after N, send the usual StartupMessage andproceed without encryption.