| From: | Charles Hornberger <charlie(at)hss(dot)caltech(dot)edu> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: using ssl some of the time |
| Date: | 2003-07-24 18:18:24 |
| Message-ID: | 3F2022F0.2000106@hss.caltech.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Bruce Momjian wrote:
> Charles Hornberger wrote:
>
>>On Wed, 23 Jul 2003, Bruce Momjian wrote:
>>
>>>Charles Hornberger wrote:
>>>
>>>>Am I right in interpreting this to mean that I either have to use SSL
>>>>all the time or none of the time? I'm especially tempted to believe
>>>>this might be the case after seeing this item in the "Clients" section
>>>>of http://developer.postgresql.org/todo.php:
>>>>
>>>> - Allow SSL-enabled clients to turn off SSL transfers
>>>>
>>>>Does that mean that, if SSL is enabled for the postmaster, the client
>>>>will always be forced to use SSL? Or is there something I need to do to
>>>>force the client to NOT use SSL?
>>>
>>>Right, it will use SSL if possible, so if both client and server are SSL
>>>enabled, SSL will be used. 7.4 will allow you to control that.
I have one more question about the plans for 7.4. How will users of
clients based on libpq use this? Will there be a new optional connection
parameter ('ssl=true') or something?
>>As an aside: The only reason I'm worring about this is that sometimes my
>>client apps generate rather large query results and as far as I can tell,
>>the overhead of SSL encryption/decryption is slowing things down quite
>>noticeably in those cases. But I'm pretty ignorant about these matters,
>>and maybe SSL's not to blame (although I'd be hard pressed to explain the
>>difference in query performance between local and SSL-over-TCP connections
>>otherwise).
>
>
> Please let us know what you find from testing.
>
Just a quick follow-up to share one (!) data point, which looks to me
like it indicates that SSL encryption/decryption is pretty expensive on
one of our Sun Ultra 5 boxes. The following query ("select * from wp")
generates ~270K of output. When executed via a psql client that's
connected over a non-encrypted link, it takes 0.7 seconds; over an
encrypted link, it takes more than 10 times that long.
# time psql -qAt -c 'select * from wp' eclatch > /dev/null
real 0m0.718s
user 0m0.120s
sys 0m0.080s
# time psql -h localhost -qAt -c 'select * from wp' eclatch > /dev/null
real 0m8.081s
user 0m3.930s
sys 0m0.410s
# psql -qAt -c 'select * from wp' eclatch | wc
2057 30717 276549
# psql -c "select version()" template1
version
------------------------------------------------------------------
PostgreSQL 7.3.2 on sparc-sun-solaris2.7, compiled by GCC 2.95.2
-Charlie
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2003-07-24 20:44:48 | Re: using ssl some of the time |
| Previous Message | Yogesh Bhanu | 2003-07-24 17:32:50 | PG-7.3.2 and tru64 5.1a |