Re: slower connect from hostnossl clients

On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:

> On 06/07/2016 12:18 PM, Magnus Hagander wrote:
> > Intersting. Can you check with a network trace that it actually turns
> > off ssl, so nothing is broken there?
> >
> > One thing that could be taking the time is an extra roundtrip -- e.g. it
> > tries to connect with ssl fails and retries without. A network trace
> > should also make this obvious, and can hopefully show you exactly where
> > in the connection the time is spent.
>
> I think this is to be expected given that the backend code initializes the
> TLS connection before it looks at anything in pg_hba.conf. The TLS
> connection setup is done when calling BackendInitialize() which happens
> very early in the life of a backend.
>
> I am not familiar enough with this part of the code to know if there is a
> reasonable way to fix this.

Hm. You're saying it's the actual
loading-of-certificate-and-setting-up-context that's slowing it down, not
the actual connection step?

Interesting, hadn't thought of that. I guess it can be - but it would
definitely be good to identify if that's really the case. If it is there is
definitely some optimization to be done there.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/