<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi,</p>
<p>I would say, that the use of SSL should be encouraged if the connection goes through public networks. If the Postgis connection is within the company LAN I don't see a strong reason for enabling SSL, unless the company LAN is designed in an "unsafe" way, or if sensitive data must be hidden from other employees in the same company.</p>
<p>Personally, I never had good results (performance wise) if Postgis connections went through the public Internet, unless it is some "toy data".</p>
<p>For this reason, I usually used streaming replication to replicate Postgis, so it is as close as possible to the users who need the data. The streaming replication, if it goes through the public internet, of course should use SSL (or often it goes through an SSH tunnel).</p>
<p>Sorry, I don't have any data on the overhead of SSL connections though.</p>
<p>Andreas</p>
<p id="reply-intro">On 2019-06-17 08:48, Matthias Kuhn wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="white-space: nowrap;">Hi,</span><br /><br />The documentation currently promises "massive speed-ups in PostGIS layer rendering" with SSL disabled. [<a href="https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection" target="_blank" rel="noopener noreferrer">1</a>]<br /><br />I find some references to performance cost of SSL but they should be compensated for with connection pooling which we use for quite some time already.<br /><br />Recently, the web is more and more encrypted - and that is very good! - so I think we should also start to encourage people to encrypt their SSL connections. Or at least certainly not discourage them from using encryption by promising performance benefits.<br /><br />Is there anyone who knows why this sentence was introduced? And if there is (still) an issue with performance when using SSL?<br /><br /><span style="white-space: nowrap;">Best regards</span><br /><br />Matthias<br /><br />[1] <a href="https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection" target="_blank" rel="noopener noreferrer">https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection</a><br /><br /><span style="white-space: nowrap;">[2] <a href="https://github.com/qgis/QGIS-Documentation/pull/3840" target="_blank" rel="noopener noreferrer">https://github.com/qgis/QGIS-Documentation/pull/3840</a></span><br /><br />_______________________________________________<br /><span style="white-space: nowrap;">QGIS-Developer mailing list</span><br /><span style="white-space: nowrap;"><a href="mailto:QGIS-Developer@lists.osgeo.org" rel="noreferrer">QGIS-Developer@lists.osgeo.org</a></span><br /><span style="white-space: nowrap;">List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank" rel="noopener noreferrer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></span><br /><span style="white-space: nowrap;">Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank" rel="noopener noreferrer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></span></div>
</blockquote>
<p><br /></p>
</body></html>