Skip site navigation (1) Skip section navigation (2)

Re: SSL over Unix-domain sockets

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SSL over Unix-domain sockets
Date: 2008-01-05 19:14:53
Message-ID: 477FD72D.2060407@mark.mielke.cc (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Tom Lane wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>   
>> Here is a patch that implements "localssl" as well.  It is quite simple.  
>>     
> The other area that would need some thought before we could consider
> this "done" is the behavior of libpq's sslmode parameter.  With the
> patch as given, an SSL-capable libpq will *default* to using SSL over
> sockets, which might be thought overkill; it is almost certainly
> going to result in a performance penalty.  Is this a reasonable default
> behavior?  Should sslmode be extended to allow specification of
> different behaviors for sockets vs. TCP
Does the patch handle patched clients connecting to unpatched servers 
and vice versa?

I am undecided whether I will use this proposed functionality or not. I 
would like to tighten up security (only a few people have access to the 
machine, but even a few may be a few too many?). Cryptographic 
authentication and encrypted data stream cost is high compared to no 
cryptographic authentication or encrypted data streams. I don't know if 
it would impact me or not. Peter: Have you tried running a benchmark of 
localssl vs localnossl?

Cheers,
mark

-- 
Mark Mielke <mark(at)mielke(dot)cc>

In response to

Responses

pgsql-hackers by date

Next:From: Gokulakannan SomasundaramDate: 2008-01-05 19:42:32
Subject: Re: Dynamic Partitioning using Segment Visibility Maps
Previous:From: Markus SchiltknechtDate: 2008-01-05 19:02:41
Subject: Re: Dynamic Partitioning using Segment Visibility Maps

pgsql-patches by date

Next:From: Peter EisentrautDate: 2008-01-05 21:05:20
Subject: Re: SSL over Unix-domain sockets
Previous:From: Tom LaneDate: 2008-01-05 17:39:08
Subject: Re: SSL over Unix-domain sockets

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group