A potential security issue (CVE-2018-10936) has been addressed. It was theoretically possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. During the process of investigating this a number of changes have been made.
ssl=true now means
verify-full. This is a diversion from libpq which defaults to no validation or verification. With
verify-full the driver will verify the ssl certificate and validate that the host is the host named in the certificate.
The driver now also supports allow and prefer, see https://jdbc.postgresql.org/documentation/head/ssl-client.html for details.