On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlsson <andr...@proxel.se> wrote:
> On 06/07/2016 12:18 PM, Magnus Hagander wrote: > > Intersting. Can you check with a network trace that it actually turns > > off ssl, so nothing is broken there? > > > > One thing that could be taking the time is an extra roundtrip -- e.g. it > > tries to connect with ssl fails and retries without. A network trace > > should also make this obvious, and can hopefully show you exactly where > > in the connection the time is spent. > > I think this is to be expected given that the backend code initializes the > TLS connection before it looks at anything in pg_hba.conf. The TLS > connection setup is done when calling BackendInitialize() which happens > very early in the life of a backend. > > I am not familiar enough with this part of the code to know if there is a > reasonable way to fix this. Hm. You're saying it's the actual loading-of-certificate-and-setting-up-context that's slowing it down, not the actual connection step? Interesting, hadn't thought of that. I guess it can be - but it would definitely be good to identify if that's really the case. If it is there is definitely some optimization to be done there. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/