On 06/07/2016 12:18 PM, Magnus Hagander wrote:> Intersting. Can you check with a network trace that it actually turns>
offssl, so nothing is broken there?>> One thing that could be taking the time is an extra roundtrip -- e.g. it> tries
toconnect with ssl fails and retries without. A network trace> should also make this obvious, and can hopefully show
youexactly where> in the connection the time is spent.
I think this is to be expected given that the backend code initializes
the TLS connection before it looks at anything in pg_hba.conf. The TLS
connection setup is done when calling BackendInitialize() which happens
very early in the life of a backend.
I am not familiar enough with this part of the code to know if there is
a reasonable way to fix this.
Andreas