| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
| Cc: | Jon Jensen <jon(at)endpoint(dot)com>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: Refuse SSL patch |
| Date: | 2003-01-07 16:39:12 |
| Message-ID: | 13940.1041957552@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> Can't you use a "reject" hostssl line in hba.conf to keep SSL connections
> from working for particular IP addresses? Does the client not fall back
> in this case?
I think it won't --- the fallback is only at the initial attempt to open
the connection, not if the startup packet is rejected.
A more global question is whether the overhead of SSL is really large
enough to justify any concern about avoiding it. I have never measured
it, but even a local LAN is a lot slower than modern CPUs. It doesn't
seem to me to be a foregone conclusion that we need to worry about
providing a way to avoid it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2003-01-07 17:01:48 | Re: Refuse SSL patch |
| Previous Message | Jon Jensen | 2003-01-07 16:39:10 | Re: Refuse SSL patch |