Re: [HACKERS] slower connect from hostnossl clients

[Pavel Stehule]

2016-06-08 8:26 GMT+02:00 Kyotaro HORIGUCHI :

> At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Hagander 
> wrote in <
> cabuevez5qrmq4ebysbz+ujfg_3_ap361zqtgbh_ef+2j6p0...@mail.gmail.com>
> > On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule 
> > wrote:
> > >> That's definitely not expected behavior. hostnossl should turn off ssl
> > >> which should turn off the overhead completely. Does it make a
> difference if
> > >> you also disable it from the client side?
> > >>
> > >
> > > When I explicitly disabled ssl, then I seen significantly less time
> > >
> > >
> > Intersting. Can you check with a network trace that it actually turns off
> > ssl, so nothing is broken there?
> >
> > One thing that could be taking the time is an extra roundtrip -- e.g. it
> > tries to connect with ssl fails and retries without. A network trace
> should
> > also make this obvious, and can hopefully show you exactly where in the
> > connection the time is spent.
>
> As Tom said, setting sslmode=allow or disable prevents
> reconnection against hostnossl.
>
> > psql "sslmode=disable host=127.0.0.1 dbname=postgres"
>
> There are 4 (disable, allow, prefer, require) * 3 (host, hostssl,
> hostnossl) = 12 possible combinations (ignoring veryfy-* of
> sslmode) of SSL usage preferences. Among these, the following two
> combinations needs reconnection.
>
> prefer + hostnossl , allow + hostssl
>
> Since no client can find whether a user can connect using (or not
> using) SSL before making any connection, reconnection is
> inevitable for the above combinations.
>
> By the way, SSL initialization takes place only when server is
> requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer +
> hostnossl causes the wasting SSL intialization.
>

Thank you for detailed info

Regards

Pavel


>
> regards,
>
> --
> Kyotaro Horiguchi
> NTT Open Source Software Center
>
>
>

Re: [HACKERS] slower connect from hostnossl clients

[Kyotaro HORIGUCHI]

At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Hagander  wrote 
in 
> On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule 
> wrote:
> >> That's definitely not expected behavior. hostnossl should turn off ssl
> >> which should turn off the overhead completely. Does it make a difference if
> >> you also disable it from the client side?
> >>
> >
> > When I explicitly disabled ssl, then I seen significantly less time
> >
> >
> Intersting. Can you check with a network trace that it actually turns off
> ssl, so nothing is broken there?
> 
> One thing that could be taking the time is an extra roundtrip -- e.g. it
> tries to connect with ssl fails and retries without. A network trace should
> also make this obvious, and can hopefully show you exactly where in the
> connection the time is spent.

As Tom said, setting sslmode=allow or disable prevents
reconnection against hostnossl.

> psql "sslmode=disable host=127.0.0.1 dbname=postgres"
 
There are 4 (disable, allow, prefer, require) * 3 (host, hostssl,
hostnossl) = 12 possible combinations (ignoring veryfy-* of
sslmode) of SSL usage preferences. Among these, the following two
combinations needs reconnection.

prefer + hostnossl , allow + hostssl

Since no client can find whether a user can connect using (or not
using) SSL before making any connection, reconnection is
inevitable for the above combinations.

By the way, SSL initialization takes place only when server is
requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer +
hostnossl causes the wasting SSL intialization.

regards,

-- 
Kyotaro Horiguchi
NTT Open Source Software Center




-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] slower connect from hostnossl clients

[Tom Lane]

Magnus Hagander  writes:
> One thing that could be taking the time is an extra roundtrip -- e.g. it
> tries to connect with ssl fails and retries without.

I'd assume a priori that that's it.  If so, the fix is to configure libpq
to try non-SSL first not SSL first.  There is an option for that, IIRC.

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] slower connect from hostnossl clients

[Pavel Stehule]

2016-06-07 12:18 GMT+02:00 Magnus Hagander :

>
>
> On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule 
> wrote:
>
>>
>>
>> 2016-06-07 11:29 GMT+02:00 Magnus Hagander :
>>
>>>
>>>
>>> On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule 
>>> wrote:
>>>
 Hi

 I am testing speed of connection to Postgres.

 The ssl connection is slower, and it is expected. But when I configure
 pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
 speed is similar to ssl.

 Is it expected behave?


>>> That's definitely not expected behavior. hostnossl should turn off ssl
>>> which should turn off the overhead completely. Does it make a difference if
>>> you also disable it from the client side?
>>>
>>
>> When I explicitly disabled ssl, then I seen significantly less time
>>
>>
> Intersting. Can you check with a network trace that it actually turns off
> ssl, so nothing is broken there?
>

I tested it on local only. The difference is +/- 5-10 ms, but it is well
visible

My customer tested it on network, but on Windows, and there difference is
about 100ms

Pavel


>
> One thing that could be taking the time is an extra roundtrip -- e.g. it
> tries to connect with ssl fails and retries without. A network trace should
> also make this obvious, and can hopefully show you exactly where in the
> connection the time is spent.
>

See attached log

My pg_hba.conf

# TYPE  DATABASEUSERADDRESS METHOD

# "local" is for Unix domain socket connections only
local   all all trust
# IPv4 local connections:

hostnosslall all 10.151.1.41/32
trust
# IPv6 local connections:
hostall all ::1/128 trust

connection string
host=10.151.1.41   port=5432  dbname=postgres user=pavel

Regards

Pavel


>
>
> --
>  Magnus Hagander
>  Me: http://www.hagander.net/
>  Work: http://www.redpill-linpro.com/
>


log
Description: Binary data

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] slower connect from hostnossl clients

[Magnus Hagander]

On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlsson  wrote:

> On 06/07/2016 12:18 PM, Magnus Hagander wrote:
> > Intersting. Can you check with a network trace that it actually turns
> > off ssl, so nothing is broken there?
> >
> > One thing that could be taking the time is an extra roundtrip -- e.g. it
> > tries to connect with ssl fails and retries without. A network trace
> > should also make this obvious, and can hopefully show you exactly where
> > in the connection the time is spent.
>
> I think this is to be expected given that the backend code initializes the
> TLS connection before it looks at anything in pg_hba.conf. The TLS
> connection setup is done when calling BackendInitialize() which happens
> very early in the life of a backend.
>
> I am not familiar enough with this part of the code to know if there is a
> reasonable way to fix this.


Hm. You're saying it's the actual
loading-of-certificate-and-setting-up-context that's slowing it down, not
the actual connection step?

Interesting, hadn't thought of that. I guess it can be - but it would
definitely be good to identify if that's really the case. If it is there is
definitely some optimization to be done there.


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: [HACKERS] slower connect from hostnossl clients

[Andreas Karlsson]

On 06/07/2016 12:18 PM, Magnus Hagander wrote:
> Intersting. Can you check with a network trace that it actually turns
> off ssl, so nothing is broken there?
>
> One thing that could be taking the time is an extra roundtrip -- e.g. it
> tries to connect with ssl fails and retries without. A network trace
> should also make this obvious, and can hopefully show you exactly where
> in the connection the time is spent.

I think this is to be expected given that the backend code initializes 
the TLS connection before it looks at anything in pg_hba.conf. The TLS 
connection setup is done when calling BackendInitialize() which happens 
very early in the life of a backend.


I am not familiar enough with this part of the code to know if there is 
a reasonable way to fix this.


Andreas



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] slower connect from hostnossl clients

[Magnus Hagander]

On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule 
wrote:

>
>
> 2016-06-07 11:29 GMT+02:00 Magnus Hagander :
>
>>
>>
>> On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule 
>> wrote:
>>
>>> Hi
>>>
>>> I am testing speed of connection to Postgres.
>>>
>>> The ssl connection is slower, and it is expected. But when I configure
>>> pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
>>> speed is similar to ssl.
>>>
>>> Is it expected behave?
>>>
>>>
>> That's definitely not expected behavior. hostnossl should turn off ssl
>> which should turn off the overhead completely. Does it make a difference if
>> you also disable it from the client side?
>>
>
> When I explicitly disabled ssl, then I seen significantly less time
>
>
Intersting. Can you check with a network trace that it actually turns off
ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace should
also make this obvious, and can hopefully show you exactly where in the
connection the time is spent.


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: [HACKERS] slower connect from hostnossl clients

[Pavel Stehule]

2016-06-07 11:29 GMT+02:00 Magnus Hagander :

>
>
> On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule 
> wrote:
>
>> Hi
>>
>> I am testing speed of connection to Postgres.
>>
>> The ssl connection is slower, and it is expected. But when I configure
>> pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
>> speed is similar to ssl.
>>
>> Is it expected behave?
>>
>>
> That's definitely not expected behavior. hostnossl should turn off ssl
> which should turn off the overhead completely. Does it make a difference if
> you also disable it from the client side?
>

When I explicitly disabled ssl, then I seen significantly less time

Regards

Pavel


>
> --
>  Magnus Hagander
>  Me: http://www.hagander.net/
>  Work: http://www.redpill-linpro.com/
>

Re: [HACKERS] slower connect from hostnossl clients

[Magnus Hagander]

On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule 
wrote:

> Hi
>
> I am testing speed of connection to Postgres.
>
> The ssl connection is slower, and it is expected. But when I configure
> pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
> speed is similar to ssl.
>
> Is it expected behave?
>
>
That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

[HACKERS] slower connect from hostnossl clients

[Pavel Stehule]

Hi

I am testing speed of connection to Postgres.

The ssl connection is slower, and it is expected. But when I configure
pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
speed is similar to ssl.

Is it expected behave?

Regards

Pavel