Re: Refuse SSL patch
| От | Tom Lane |
|---|---|
| Тема | Re: Refuse SSL patch |
| Дата | |
| Msg-id | 13940.1041957552@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Refuse SSL patch (Bruno Wolff III <bruno@wolff.to>) |
| Ответы |
Re: Refuse SSL patch
|
| Список | pgsql-patches |
Bruno Wolff III <bruno@wolff.to> writes:
> Can't you use a "reject" hostssl line in hba.conf to keep SSL connections
> from working for particular IP addresses? Does the client not fall back
> in this case?
I think it won't --- the fallback is only at the initial attempt to open
the connection, not if the startup packet is rejected.
A more global question is whether the overhead of SSL is really large
enough to justify any concern about avoiding it. I have never measured
it, but even a local LAN is a lot slower than modern CPUs. It doesn't
seem to me to be a foregone conclusion that we need to worry about
providing a way to avoid it.
regards, tom lane
В списке pgsql-patches по дате отправления: