Re: using ssl some of the time
| От | Bruce Momjian |
|---|---|
| Тема | Re: using ssl some of the time |
| Дата | |
| Msg-id | 200307242044.h6OKim627411@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: using ssl some of the time (Charles Hornberger <charlie@hss.caltech.edu>) |
| Ответы |
Re: using ssl some of the time
|
| Список | pgsql-admin |
Charles Hornberger wrote: > Bruce Momjian wrote: > > Charles Hornberger wrote: > > > >>On Wed, 23 Jul 2003, Bruce Momjian wrote: > >> > >>>Charles Hornberger wrote: > >>> > >>>>Am I right in interpreting this to mean that I either have to use SSL > >>>>all the time or none of the time? I'm especially tempted to believe > >>>>this might be the case after seeing this item in the "Clients" section > >>>>of http://developer.postgresql.org/todo.php: > >>>> > >>>> - Allow SSL-enabled clients to turn off SSL transfers > >>>> > >>>>Does that mean that, if SSL is enabled for the postmaster, the client > >>>>will always be forced to use SSL? Or is there something I need to do to > >>>>force the client to NOT use SSL? > >>> > >>>Right, it will use SSL if possible, so if both client and server are SSL > >>>enabled, SSL will be used. 7.4 will allow you to control that. > > > I have one more question about the plans for 7.4. How will users of > clients based on libpq use this? Will there be a new optional connection > parameter ('ssl=true') or something? Yes, exactly. > Just a quick follow-up to share one (!) data point, which looks to me > like it indicates that SSL encryption/decryption is pretty expensive on > one of our Sun Ultra 5 boxes. The following query ("select * from wp") > generates ~270K of output. When executed via a psql client that's > connected over a non-encrypted link, it takes 0.7 seconds; over an > encrypted link, it takes more than 10 times that long. > > # time psql -qAt -c 'select * from wp' eclatch > /dev/null > real 0m0.718s > user 0m0.120s > sys 0m0.080s > # time psql -h localhost -qAt -c 'select * from wp' eclatch > /dev/null > real 0m8.081s > user 0m3.930s > sys 0m0.410s > # psql -qAt -c 'select * from wp' eclatch | wc > 2057 30717 276549 > # psql -c "select version()" template1 Wow. I wonder if we should be using SSL by default in our connections. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
В списке pgsql-admin по дате отправления: