On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlsson <andreas@proxel.se> wrote:
On 06/07/2016 12:18 PM, Magnus Hagander wrote: > Intersting. Can you check with a network trace that it actually turns > off ssl, so nothing is broken there? > > One thing that could be taking the time is an extra roundtrip -- e.g. it > tries to connect with ssl fails and retries without. A network trace > should also make this obvious, and can hopefully show you exactly where > in the connection the time is spent.
I think this is to be expected given that the backend code initializes the TLS connection before it looks at anything in pg_hba.conf. The TLS connection setup is done when calling BackendInitialize() which happens very early in the life of a backend.
I am not familiar enough with this part of the code to know if there is a reasonable way to fix this.
Hm. You're saying it's the actual loading-of-certificate-and-setting-up-context that's slowing it down, not the actual connection step?
Interesting, hadn't thought of that. I guess it can be - but it would definitely be good to identify if that's really the case. If it is there is definitely some optimization to be done there.