Problem

When connecting with sslmode=require to a server that has no TLS configured, rpg exits with code 2 and shows:

rpg: TLS error: error performing TLS handshake

This is technically correct (require means TLS is mandatory, so failing without TLS is expected behavior), but the error message is not actionable. The user cannot tell whether:

• The server has no TLS at all
• The certificate is invalid
• The handshake failed for another reason

Expected behavior

sslmode=require must be fully supported:

• Exit code 2 on connection failure (correct, keep)
• Error message should be clear: e.g. rpg: SSL error: server does not support SSL (matching psql's wording)
• sslmode=verify-ca and sslmode=verify-full should similarly return clear errors distinguishing "no TLS" from "cert verification failed"

Context

Discovered during full connection path matrix audit (issue #709, Section D: SSL Modes).

psql reference behavior:

psql: error: connection to server on socket "/tmp/.s.PGSQL.5432" failed: SSL error: SSL is not enabled on the server

Acceptance criteria

• sslmode=require against a non-TLS server: exit 2, message matches psql wording ("server does not support SSL" or equivalent)
• sslmode=verify-ca and sslmode=verify-full against a non-TLS server: same
• sslmode=verify-ca/verify-full with bad cert: exit 2, message clearly states certificate verification failure
• All existing SSL tests pass
• Unit test added covering the error message format