>A limitation on the server side is that a replication agreement's target >host, port and connection type can't be modified while the server is >running - DSA unwilling to perform. It has to be recreated or possibly >edited in offline mode. Maybe this could use some enhancement (followed >by Console unenhancement), but I'd rank replication StartTLS support >higher on the nice-to-have list. > > Changing the connection properties while the server is up is likely to take a long time to completely debug. That's because the replication connection management state machine code is rather complicated and hard to modify. However, adding support for start tls is quite easy. If you feel like it you can always take the server down and edit the replication agreement directly. But hey, replication agreements are created approximately never (like a few times when you're figuring out how the thing works, then once or twice when you deploy). So making the process silky-smooth for some even yet more uncommon corner case like changing from non-ssl to ssl seems like not a great use of limited programming and testing time (IMHO).
