Mark Mielke wrote: > Bruce Momjian wrote: > > Good point. I have added the last two sentences to the documentation > > paragraph to highlight this issue: > > > > <productname>OpenSSL</productname> supports a wide range of ciphers > > and authentication algorithms, of varying strength. While a list of > > ciphers can be specified in the <productname>OpenSSL</productname> > > configuration file, you can specify ciphers specifically for use by > > the database server by modifying <xref linkend="guc-ssl-ciphers"> in > > <filename>postgresql.conf</>. It is possible to have authentication > > without the overhead of encryption by using <literal>NULL-SHA</> or > > <literal>NULL-MD5</> ciphers. However, a man-in-the-middle could read > > and pass communications between client and server. > > > A fact that the above misses, is that symmetric key encryption is > actually quite cheap. It is asymmetric key encryption that is expensive. > If you look up information on SSL accelerators, you will find claims > that the initial SSL authentication negotiation is 1000X as expensive as > the actual data encryption for a running session, and that SSL web > services are usually limited by their ability to negotiate NEW sessions. > In other words, as well intentioned and accurate as the claim you make > above, it may be irrelevant in many real world scenarios. If you are > going to go through all the expensive processing of having > authentication enabled, you may as well have encryption enabled too.
OK, updated paragraph: It is possible to have authentication without encryption overhead by using <literal>NULL-SHA</> or <literal>NULL-MD5</> ciphers. However, a man-in-the-middle could read and pass communications between client and server. Also, encryption overhead is minimal compared to the overhead of authentication. For these reasons NULL ciphers are not recommended. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org