| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Charles Hornberger <charlie(at)hss(dot)caltech(dot)edu> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: using ssl some of the time |
| Date: | 2003-07-24 20:44:48 |
| Message-ID: | 200307242044.h6OKim627411@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Charles Hornberger wrote:
> Bruce Momjian wrote:
> > Charles Hornberger wrote:
> >
> >>On Wed, 23 Jul 2003, Bruce Momjian wrote:
> >>
> >>>Charles Hornberger wrote:
> >>>
> >>>>Am I right in interpreting this to mean that I either have to use SSL
> >>>>all the time or none of the time? I'm especially tempted to believe
> >>>>this might be the case after seeing this item in the "Clients" section
> >>>>of http://developer.postgresql.org/todo.php:
> >>>>
> >>>> - Allow SSL-enabled clients to turn off SSL transfers
> >>>>
> >>>>Does that mean that, if SSL is enabled for the postmaster, the client
> >>>>will always be forced to use SSL? Or is there something I need to do to
> >>>>force the client to NOT use SSL?
> >>>
> >>>Right, it will use SSL if possible, so if both client and server are SSL
> >>>enabled, SSL will be used. 7.4 will allow you to control that.
>
>
> I have one more question about the plans for 7.4. How will users of
> clients based on libpq use this? Will there be a new optional connection
> parameter ('ssl=true') or something?
Yes, exactly.
> Just a quick follow-up to share one (!) data point, which looks to me
> like it indicates that SSL encryption/decryption is pretty expensive on
> one of our Sun Ultra 5 boxes. The following query ("select * from wp")
> generates ~270K of output. When executed via a psql client that's
> connected over a non-encrypted link, it takes 0.7 seconds; over an
> encrypted link, it takes more than 10 times that long.
>
> # time psql -qAt -c 'select * from wp' eclatch > /dev/null
> real 0m0.718s
> user 0m0.120s
> sys 0m0.080s
> # time psql -h localhost -qAt -c 'select * from wp' eclatch > /dev/null
> real 0m8.081s
> user 0m3.930s
> sys 0m0.410s
> # psql -qAt -c 'select * from wp' eclatch | wc
> 2057 30717 276549
> # psql -c "select version()" template1
Wow. I wonder if we should be using SSL by default in our connections.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2003-07-24 21:29:03 | Re: using ssl some of the time |
| Previous Message | Charles Hornberger | 2003-07-24 18:18:24 | Re: using ssl some of the time |