diff --git a/backends/postgres/postgres_backend.go b/backends/postgres/postgres_backend.go
index 3d98dbb..c077823 100644
--- a/backends/postgres/postgres_backend.go
+++ b/backends/postgres/postgres_backend.go
@@ -5,7 +5,9 @@ import (
 	"embed"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -336,15 +338,24 @@ func (p *PgBackend) initializeDB() (err error) {
 		return
 	}
 
-	sslMode := "verify-ca"
 	// nil TLSConfig means "sslmode=disable" was set on the connection
+	sslMode := "verify-ca"
 	if pgxCfg.TLSConfig == nil {
 		sslMode = "disable"
+	} else if pgxCfg.TLSConfig.InsecureSkipVerify {
+		sslMode = "require"
+	}
+	if dbURL, err := url.Parse(pgxCfg.ConnString()); err == nil &&
+		strings.HasPrefix(dbURL.Scheme, "postgres") {
+		val := dbURL.Query()
+		if v := val.Get("sslmode"); v != "" {
+			sslMode = v // set sslmode from existing connection string
+		}
 	}
 
 	pqConnectionString := fmt.Sprintf("postgres://%s:%s@%s/%s?sslmode=%s&x-migrations-table=neoq_schema_migrations",
 		pgxCfg.User,
-		pgxCfg.Password,
+		url.QueryEscape(pgxCfg.Password),
 		pgxCfg.Host,
 		pgxCfg.Database,
 		sslMode)