Postgresql has a number of sslmodes. Currently if the user sets $wgDBssl = true; this sets the mode to 'required'. Confusingly, this means force a TLS connection but do not do any certificate validation. This is pretty useless from a security perspective (Can be defeated by an active attacker), and has essentially the same security properties as "prefer" which is what you get with $wgDBssl = false;
I think its safe to assume that anyone setting $wgDBssl = true; wants actual validated SSL connection. I think we should make sslmode be 'verify-full' if $wgDBssl = true;. verify-full essentially means follow normal TLS rules for certificates. This may be a breaking change for those relying on the old behaviour.
See https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS for what all the values mean.