Re: [HACKERS] slower connect from hostnossl clients
2016-06-08 8:26 GMT+02:00 Kyotaro HORIGUCHI: > At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Hagander > wrote in < > cabuevez5qrmq4ebysbz+ujfg_3_ap361zqtgbh_ef+2j6p0...@mail.gmail.com> > > On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule > > wrote: > > >> That's definitely not expected behavior. hostnossl should turn off ssl > > >> which should turn off the overhead completely. Does it make a > difference if > > >> you also disable it from the client side? > > >> > > > > > > When I explicitly disabled ssl, then I seen significantly less time > > > > > > > > Intersting. Can you check with a network trace that it actually turns off > > ssl, so nothing is broken there? > > > > One thing that could be taking the time is an extra roundtrip -- e.g. it > > tries to connect with ssl fails and retries without. A network trace > should > > also make this obvious, and can hopefully show you exactly where in the > > connection the time is spent. > > As Tom said, setting sslmode=allow or disable prevents > reconnection against hostnossl. > > > psql "sslmode=disable host=127.0.0.1 dbname=postgres" > > There are 4 (disable, allow, prefer, require) * 3 (host, hostssl, > hostnossl) = 12 possible combinations (ignoring veryfy-* of > sslmode) of SSL usage preferences. Among these, the following two > combinations needs reconnection. > > prefer + hostnossl , allow + hostssl > > Since no client can find whether a user can connect using (or not > using) SSL before making any connection, reconnection is > inevitable for the above combinations. > > By the way, SSL initialization takes place only when server is > requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer + > hostnossl causes the wasting SSL intialization. > Thank you for detailed info Regards Pavel > > regards, > > -- > Kyotaro Horiguchi > NTT Open Source Software Center > > >
Re: [HACKERS] slower connect from hostnossl clients
At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Haganderwrote in > On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule > wrote: > >> That's definitely not expected behavior. hostnossl should turn off ssl > >> which should turn off the overhead completely. Does it make a difference if > >> you also disable it from the client side? > >> > > > > When I explicitly disabled ssl, then I seen significantly less time > > > > > Intersting. Can you check with a network trace that it actually turns off > ssl, so nothing is broken there? > > One thing that could be taking the time is an extra roundtrip -- e.g. it > tries to connect with ssl fails and retries without. A network trace should > also make this obvious, and can hopefully show you exactly where in the > connection the time is spent. As Tom said, setting sslmode=allow or disable prevents reconnection against hostnossl. > psql "sslmode=disable host=127.0.0.1 dbname=postgres" There are 4 (disable, allow, prefer, require) * 3 (host, hostssl, hostnossl) = 12 possible combinations (ignoring veryfy-* of sslmode) of SSL usage preferences. Among these, the following two combinations needs reconnection. prefer + hostnossl , allow + hostssl Since no client can find whether a user can connect using (or not using) SSL before making any connection, reconnection is inevitable for the above combinations. By the way, SSL initialization takes place only when server is requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer + hostnossl causes the wasting SSL intialization. regards, -- Kyotaro Horiguchi NTT Open Source Software Center -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] slower connect from hostnossl clients
Magnus Haganderwrites: > One thing that could be taking the time is an extra roundtrip -- e.g. it > tries to connect with ssl fails and retries without. I'd assume a priori that that's it. If so, the fix is to configure libpq to try non-SSL first not SSL first. There is an option for that, IIRC. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] slower connect from hostnossl clients
2016-06-07 12:18 GMT+02:00 Magnus Hagander: > > > On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule > wrote: > >> >> >> 2016-06-07 11:29 GMT+02:00 Magnus Hagander : >> >>> >>> >>> On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule >>> wrote: >>> Hi I am testing speed of connection to Postgres. The ssl connection is slower, and it is expected. But when I configure pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the speed is similar to ssl. Is it expected behave? >>> That's definitely not expected behavior. hostnossl should turn off ssl >>> which should turn off the overhead completely. Does it make a difference if >>> you also disable it from the client side? >>> >> >> When I explicitly disabled ssl, then I seen significantly less time >> >> > Intersting. Can you check with a network trace that it actually turns off > ssl, so nothing is broken there? > I tested it on local only. The difference is +/- 5-10 ms, but it is well visible My customer tested it on network, but on Windows, and there difference is about 100ms Pavel > > One thing that could be taking the time is an extra roundtrip -- e.g. it > tries to connect with ssl fails and retries without. A network trace should > also make this obvious, and can hopefully show you exactly where in the > connection the time is spent. > See attached log My pg_hba.conf # TYPE DATABASEUSERADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: hostnosslall all 10.151.1.41/32 trust # IPv6 local connections: hostall all ::1/128 trust connection string host=10.151.1.41 port=5432 dbname=postgres user=pavel Regards Pavel > > > -- > Magnus Hagander > Me: http://www.hagander.net/ > Work: http://www.redpill-linpro.com/ > log Description: Binary data -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] slower connect from hostnossl clients
On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlssonwrote: > On 06/07/2016 12:18 PM, Magnus Hagander wrote: > > Intersting. Can you check with a network trace that it actually turns > > off ssl, so nothing is broken there? > > > > One thing that could be taking the time is an extra roundtrip -- e.g. it > > tries to connect with ssl fails and retries without. A network trace > > should also make this obvious, and can hopefully show you exactly where > > in the connection the time is spent. > > I think this is to be expected given that the backend code initializes the > TLS connection before it looks at anything in pg_hba.conf. The TLS > connection setup is done when calling BackendInitialize() which happens > very early in the life of a backend. > > I am not familiar enough with this part of the code to know if there is a > reasonable way to fix this. Hm. You're saying it's the actual loading-of-certificate-and-setting-up-context that's slowing it down, not the actual connection step? Interesting, hadn't thought of that. I guess it can be - but it would definitely be good to identify if that's really the case. If it is there is definitely some optimization to be done there. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [HACKERS] slower connect from hostnossl clients
On 06/07/2016 12:18 PM, Magnus Hagander wrote: > Intersting. Can you check with a network trace that it actually turns > off ssl, so nothing is broken there? > > One thing that could be taking the time is an extra roundtrip -- e.g. it > tries to connect with ssl fails and retries without. A network trace > should also make this obvious, and can hopefully show you exactly where > in the connection the time is spent. I think this is to be expected given that the backend code initializes the TLS connection before it looks at anything in pg_hba.conf. The TLS connection setup is done when calling BackendInitialize() which happens very early in the life of a backend. I am not familiar enough with this part of the code to know if there is a reasonable way to fix this. Andreas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] slower connect from hostnossl clients
On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehulewrote: > > > 2016-06-07 11:29 GMT+02:00 Magnus Hagander : > >> >> >> On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule >> wrote: >> >>> Hi >>> >>> I am testing speed of connection to Postgres. >>> >>> The ssl connection is slower, and it is expected. But when I configure >>> pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the >>> speed is similar to ssl. >>> >>> Is it expected behave? >>> >>> >> That's definitely not expected behavior. hostnossl should turn off ssl >> which should turn off the overhead completely. Does it make a difference if >> you also disable it from the client side? >> > > When I explicitly disabled ssl, then I seen significantly less time > > Intersting. Can you check with a network trace that it actually turns off ssl, so nothing is broken there? One thing that could be taking the time is an extra roundtrip -- e.g. it tries to connect with ssl fails and retries without. A network trace should also make this obvious, and can hopefully show you exactly where in the connection the time is spent. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [HACKERS] slower connect from hostnossl clients
2016-06-07 11:29 GMT+02:00 Magnus Hagander: > > > On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule > wrote: > >> Hi >> >> I am testing speed of connection to Postgres. >> >> The ssl connection is slower, and it is expected. But when I configure >> pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the >> speed is similar to ssl. >> >> Is it expected behave? >> >> > That's definitely not expected behavior. hostnossl should turn off ssl > which should turn off the overhead completely. Does it make a difference if > you also disable it from the client side? > When I explicitly disabled ssl, then I seen significantly less time Regards Pavel > > -- > Magnus Hagander > Me: http://www.hagander.net/ > Work: http://www.redpill-linpro.com/ >
Re: [HACKERS] slower connect from hostnossl clients
On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehulewrote: > Hi > > I am testing speed of connection to Postgres. > > The ssl connection is slower, and it is expected. But when I configure > pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the > speed is similar to ssl. > > Is it expected behave? > > That's definitely not expected behavior. hostnossl should turn off ssl which should turn off the overhead completely. Does it make a difference if you also disable it from the client side? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
[HACKERS] slower connect from hostnossl clients
Hi I am testing speed of connection to Postgres. The ssl connection is slower, and it is expected. But when I configure pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the speed is similar to ssl. Is it expected behave? Regards Pavel