Bruce Momjian wrote:
Good point.  I have added the last two sentences to the documentation
paragraph to highlight this issue:

   <productname>OpenSSL</productname> supports a wide range of ciphers
   and authentication algorithms, of varying strength.  While a list of
   ciphers can be specified in the <productname>OpenSSL</productname>
   configuration file, you can specify ciphers specifically for use by
   the database server by modifying <xref linkend="guc-ssl-ciphers"> in
   <filename>postgresql.conf</>.  It is possible to have authentication
   without the overhead of encryption by using <literal>NULL-SHA</> or
   <literal>NULL-MD5</> ciphers.  However, a man-in-the-middle could read
   and pass communications between client and server.
A fact that the above misses, is that symmetric key encryption is actually quite cheap. It is asymmetric key encryption that is expensive. If you look up information on SSL accelerators, you will find claims that the initial SSL authentication negotiation is 1000X as expensive as the actual data encryption for a running session, and that SSL web services are usually limited by their ability to negotiate NEW sessions. In other words, as well intentioned and accurate as the claim you make above, it may be irrelevant in many real world scenarios. If you are going to go through all the expensive processing of having authentication enabled, you may as well have encryption enabled too.

Cheers,
mark

--
Mark Mielke <[EMAIL PROTECTED]>

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
      choose an index scan if your joining column's datatypes do not
      match

Reply via email to