Bruno Wolff III <bruno@wolff.to> writes:
> Can't you use a "reject" hostssl line in hba.conf to keep SSL connections
> from working for particular IP addresses? Does the client not fall back
> in this case?
I think it won't --- the fallback is only at the initial attempt to open
the connection, not if the startup packet is rejected.
A more global question is whether the overhead of SSL is really large
enough to justify any concern about avoiding it. I have never measured
it, but even a local LAN is a lot slower than modern CPUs. It doesn't
seem to me to be a foregone conclusion that we need to worry about
providing a way to avoid it.
regards, tom lane