slower connect from hostnossl clients

On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

Hi

I am testing speed of connection to Postgres.

The ssl connection is slower, and it is expected. But when I configure
pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
speed is similar to ssl.

Is it expected behave?

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

2016-06-07 11:29 GMT+02:00 Magnus Hagander <magnus@hagander.net>:

On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

Hi

I am testing speed of connection to Postgres.

The ssl connection is slower, and it is expected. But when I configure
pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
speed is similar to ssl.

Is it expected behave?

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

When I explicitly disabled ssl, then I seen significantly less time

Regards

Pavel

On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

2016-06-07 11:29 GMT+02:00 Magnus Hagander <magnus@hagander.net>:

On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

Hi

I am testing speed of connection to Postgres.

The ssl connection is slower, and it is expected. But when I configure
pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
speed is similar to ssl.

Is it expected behave?

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

When I explicitly disabled ssl, then I seen significantly less time

Intersting. Can you check with a network trace that it actually turns off
ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace should
also make this obvious, and can hopefully show you exactly where in the
connection the time is spent.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

On 06/07/2016 12:18 PM, Magnus Hagander wrote:

Intersting. Can you check with a network trace that it actually turns
off ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace
should also make this obvious, and can hopefully show you exactly where
in the connection the time is spent.

I think this is to be expected given that the backend code initializes
the TLS connection before it looks at anything in pg_hba.conf. The TLS
connection setup is done when calling BackendInitialize() which happens
very early in the life of a backend.

I am not familiar enough with this part of the code to know if there is
a reasonable way to fix this.

Andreas

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Tue, Jun 7, 2016 at 12:41 PM, Andreas Karlsson <andreas@proxel.se> wrote:

On 06/07/2016 12:18 PM, Magnus Hagander wrote:

Intersting. Can you check with a network trace that it actually turns
off ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace
should also make this obvious, and can hopefully show you exactly where
in the connection the time is spent.

I think this is to be expected given that the backend code initializes the
TLS connection before it looks at anything in pg_hba.conf. The TLS
connection setup is done when calling BackendInitialize() which happens
very early in the life of a backend.

I am not familiar enough with this part of the code to know if there is a
reasonable way to fix this.

Hm. You're saying it's the actual
loading-of-certificate-and-setting-up-context that's slowing it down, not
the actual connection step?

Interesting, hadn't thought of that. I guess it can be - but it would
definitely be good to identify if that's really the case. If it is there is
definitely some optimization to be done there.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

2016-06-07 12:18 GMT+02:00 Magnus Hagander <magnus@hagander.net>:

On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

2016-06-07 11:29 GMT+02:00 Magnus Hagander <magnus@hagander.net>:

On Tue, Jun 7, 2016 at 11:24 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

Hi

I am testing speed of connection to Postgres.

The ssl connection is slower, and it is expected. But when I configure
pg_hba.conf to disable ssl via hostnossl, then ssl is not used, but the
speed is similar to ssl.

Is it expected behave?

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

When I explicitly disabled ssl, then I seen significantly less time

Intersting. Can you check with a network trace that it actually turns off
ssl, so nothing is broken there?

I tested it on local only. The difference is +/- 5-10 ms, but it is well
visible

My customer tested it on network, but on Windows, and there difference is
about 100ms

Pavel

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace should
also make this obvious, and can hopefully show you exactly where in the
connection the time is spent.

See attached log

My pg_hba.conf

# TYPE DATABASE USER ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:

hostnossl all all 10.151.1.41/32
trust
# IPv6 local connections:
host all all ::1/128 trust

connection string
host=10.151.1.41 port=5432 dbname=postgres user=pavel

Regards

Pavel

Magnus Hagander <magnus@hagander.net> writes:

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without.

I'd assume a priori that that's it. If so, the fix is to configure libpq
to try non-SSL first not SSL first. There is an option for that, IIRC.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Hagander <magnus@hagander.net> wrote in <CABUevEz5qRmq4EbYsBZ+uJfg_3_ap361ZQtgbH_eF+2j6P0zag@mail.gmail.com>

On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a difference if
you also disable it from the client side?

When I explicitly disabled ssl, then I seen significantly less time

Intersting. Can you check with a network trace that it actually turns off
ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace should
also make this obvious, and can hopefully show you exactly where in the
connection the time is spent.

As Tom said, setting sslmode=allow or disable prevents
reconnection against hostnossl.

psql "sslmode=disable host=127.0.0.1 dbname=postgres"

There are 4 (disable, allow, prefer, require) * 3 (host, hostssl,
hostnossl) = 12 possible combinations (ignoring veryfy-* of
sslmode) of SSL usage preferences. Among these, the following two
combinations needs reconnection.

prefer + hostnossl , allow + hostssl

Since no client can find whether a user can connect using (or not
using) SSL before making any connection, reconnection is
inevitable for the above combinations.

By the way, SSL initialization takes place only when server is
requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer +
hostnossl causes the wasting SSL intialization.

regards,

--
Kyotaro Horiguchi
NTT Open Source Software Center

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

2016-06-08 8:26 GMT+02:00 Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp

:

At Tue, 7 Jun 2016 12:18:31 +0200, Magnus Hagander <magnus@hagander.net>
wrote in <
CABUevEz5qRmq4EbYsBZ+uJfg_3_ap361ZQtgbH_eF+2j6P0zag@mail.gmail.com>

On Tue, Jun 7, 2016 at 11:31 AM, Pavel Stehule <pavel.stehule@gmail.com>
wrote:

That's definitely not expected behavior. hostnossl should turn off ssl
which should turn off the overhead completely. Does it make a

difference if

you also disable it from the client side?

When I explicitly disabled ssl, then I seen significantly less time

Intersting. Can you check with a network trace that it actually turns off
ssl, so nothing is broken there?

One thing that could be taking the time is an extra roundtrip -- e.g. it
tries to connect with ssl fails and retries without. A network trace

should

also make this obvious, and can hopefully show you exactly where in the
connection the time is spent.

As Tom said, setting sslmode=allow or disable prevents
reconnection against hostnossl.

psql "sslmode=disable host=127.0.0.1 dbname=postgres"

There are 4 (disable, allow, prefer, require) * 3 (host, hostssl,
hostnossl) = 12 possible combinations (ignoring veryfy-* of
sslmode) of SSL usage preferences. Among these, the following two
combinations needs reconnection.

prefer + hostnossl , allow + hostssl

Since no client can find whether a user can connect using (or not
using) SSL before making any connection, reconnection is
inevitable for the above combinations.

By the way, SSL initialization takes place only when server is
requested SSL connection (NEGOTIATE_SSL_MODE), so only prefer +
hostnossl causes the wasting SSL intialization.

Thank you for detailed info

Regards

Pavel