Fair! I was assuming all this was in pursuit of near-zero downtime, like with the other recent poster, but I could be wrong.
I don’t know how officially supported this kind of thing is, but I did finally manage to get a newer version of psql to connect, by adding an ALPN entry analogous to the Traefik one from the mailing list:
[[services.ports]]
port = 5432
handlers = ['pg_tls']
tls_options = { alpn = ['postgresql'] }
And then…
$ fly console --region ewr --image debian:trixie
# psql -d 'postgres://postgres:********@mayailuridb.fly.dev:5432/sslmode=require'
psql (17.6 (Debian 17.6-0+deb13u1), server 15.8 (Debian 15.8-1.pgdg120+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.
postgres=#
That same client-side image was failing with tlsv1 alert no application protocol prior.