You can leave the choice of whether or not to use SSL to the client, or you can force SSL usage from the server's side.
To let the client choose, use a line of the following form in the pg_hba.conf file:
host database user IP-address/IP-mask auth-method
If you want to allow only SSL clients, use the hostssl keyword instead of host.
The contents of pg_hba.conf can be seen using the view pg_hba_file_rules.
The following fragment of pg_hba.conf enables both non-SSL and SSL connections from the 192.168.1.0/24 local subnet, but requires SSL from everybody accessing the database from other networks:
host all all 192.168.1.0/24 md5
hostssl all all 0.0.0.0/0 md5