From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Charles Hornberger <charlie(at)hss(dot)caltech(dot)edu> |
Cc: | pgsql-admin(at)postgresql(dot)org |
Subject: | Re: using ssl some of the time |
Date: | 2003-07-23 17:54:15 |
Message-ID: | 200307231754.h6NHsFb03456@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Charles Hornberger wrote:
> On Wed, 23 Jul 2003, Bruce Momjian wrote:
> > Charles Hornberger wrote:
> > > Am I right in interpreting this to mean that I either have to use SSL
> > > all the time or none of the time? I'm especially tempted to believe
> > > this might be the case after seeing this item in the "Clients" section
> > > of http://developer.postgresql.org/todo.php:
> > >
> > > - Allow SSL-enabled clients to turn off SSL transfers
> > >
> > > Does that mean that, if SSL is enabled for the postmaster, the client
> > > will always be forced to use SSL? Or is there something I need to do to
> > > force the client to NOT use SSL?
> >
> > Right, it will use SSL if possible, so if both client and server are SSL
> > enabled, SSL will be used. 7.4 will allow you to control that.
>
> Interesting. So, am I right in thinking that in 7.3.x, theoretically it'd
> be possible to build the postgres backends with SSL support but the
> clients -- and I guess libpq is really what I'm talking about here, since
> normally I'm connecting via Python or PHP -- without it? And would an
> SSL-enabled backend agree to talk to a SSL-disabled client?
Yes, you could to it, but by default, libpq will have SSL compiled in it
just like the backend, but if you created a non-ssl client, it would
talk to the postmaster just fine, unless you have hostssl in
pg_hba.conf.
> As an aside: The only reason I'm worring about this is that sometimes my
> client apps generate rather large query results and as far as I can tell,
> the overhead of SSL encryption/decryption is slowing things down quite
> noticeably in those cases. But I'm pretty ignorant about these matters,
> and maybe SSL's not to blame (although I'd be hard pressed to explain the
> difference in query performance between local and SSL-over-TCP connections
> otherwise).
Please let us know what you find from testing.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Reece Hart | 2003-07-23 18:07:10 | Re: [PERFORM] slow table updates |
Previous Message | Reece Hart | 2003-07-23 17:44:36 | Re: [PERFORM] slow table updates |