Charles Hornberger wrote:
On Wed, 23 Jul 2003, Bruce Momjian wrote:
Charles Hornberger wrote:
Am I right in interpreting this to mean that I either have to use SSL all the time or none of the time? I'm especially tempted to believe this might be the case after seeing this item in the "Clients" section of http://developer.postgresql.org/todo.php:
- Allow SSL-enabled clients to turn off SSL transfers
Does that mean that, if SSL is enabled for the postmaster, the client will always be forced to use SSL? Or is there something I need to do to force the client to NOT use SSL?
Right, it will use SSL if possible, so if both client and server are SSL enabled, SSL will be used. 7.4 will allow you to control that.
I have one more question about the plans for 7.4. How will users of clients based on libpq use this? Will there be a new optional connection parameter ('ssl=true') or something?
As an aside: The only reason I'm worring about this is that sometimes my client apps generate rather large query results and as far as I can tell, the overhead of SSL encryption/decryption is slowing things down quite noticeably in those cases. But I'm pretty ignorant about these matters, and maybe SSL's not to blame (although I'd be hard pressed to explain the difference in query performance between local and SSL-over-TCP connections otherwise).
Please let us know what you find from testing.
Just a quick follow-up to share one (!) data point, which looks to me like it indicates that SSL encryption/decryption is pretty expensive on one of our Sun Ultra 5 boxes. The following query ("select * from wp") generates ~270K of output. When executed via a psql client that's connected over a non-encrypted link, it takes 0.7 seconds; over an encrypted link, it takes more than 10 times that long.
# time psql -qAt -c 'select * from wp' eclatch > /dev/null
real 0m0.718s
user 0m0.120s
sys 0m0.080s
# time psql -h localhost -qAt -c 'select * from wp' eclatch > /dev/null
real 0m8.081s
user 0m3.930s
sys 0m0.410s
# psql -qAt -c 'select * from wp' eclatch | wc
2057 30717 276549
# psql -c "select version()" template1
version
------------------------------------------------------------------
PostgreSQL 7.3.2 on sparc-sun-solaris2.7, compiled by GCC 2.95.2-Charlie
---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
