diff --git a/postgresql/config.go b/postgresql/config.go
index c2f1410c..5ef33baa 100644
--- a/postgresql/config.go
+++ b/postgresql/config.go
@@ -46,6 +46,7 @@ const (
 	featureServer
 	featureCreateRoleSelfGrant
 	featureSecurityLabel
+	featureSSLNegotation
 )
 
 var (
@@ -122,6 +123,9 @@ var (
 		// https://www.postgresql.org/docs/16/release-16.html#RELEASE-16-PRIVILEGES
 		featureCreateRoleSelfGrant: semver.MustParseRange(">=16.0.0"),
 		featureSecurityLabel:       semver.MustParseRange(">=11.0.0"),
+
+		// SSL without STARTTLS
+		featureSSLNegotation: semver.MustParseRange(">=17.0.0"),
 	}
 )
 
@@ -175,6 +179,7 @@ type Config struct {
 	DatabaseUsername                string
 	Superuser                       bool
 	SSLMode                         string
+	SSLNegotiation                  string
 	ApplicationName                 string
 	Timeout                         int
 	ConnectTimeoutSec               int
@@ -221,6 +226,9 @@ func (c *Config) connParams() []string {
 	// (TLS is provided by gocloud directly)
 	if c.Scheme == "postgres" {
 		params["sslmode"] = c.SSLMode
+		if c.featureSupported(featureSSLNegotation) {
+			params["sslnegotiation"] = c.SSLNegotiation
+		}
 		params["connect_timeout"] = strconv.Itoa(c.ConnectTimeoutSec)
 	}
 
diff --git a/postgresql/provider.go b/postgresql/provider.go
index 8bc7546d..88c0c2d5 100644
--- a/postgresql/provider.go
+++ b/postgresql/provider.go
@@ -147,6 +147,12 @@ func Provider() *schema.Provider {
 				Optional:   true,
 				Deprecated: "Rename PostgreSQL provider `ssl_mode` attribute to `sslmode`",
 			},
+			"sslnegotiation": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "postgres",
+				Description: "This option controls how SSL encryption is negotiated with the server, if SSL is used. In the default postgres mode, the client first asks the server if SSL is supported. In direct mode, the client starts the standard SSL handshake directly after establishing the TCP/IP connection.",
+			},
 			"clientcert": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -376,6 +382,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		DatabaseUsername:                d.Get("database_username").(string),
 		Superuser:                       d.Get("superuser").(bool),
 		SSLMode:                         sslMode,
+		SSLNegotiation:                  d.get("sslnegotiation").(string),
 		ApplicationName:                 "Terraform provider",
 		ConnectTimeoutSec:               d.Get("connect_timeout").(int),
 		MaxConns:                        d.Get("max_connections").(int),