<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Wingdings;

        panose-1:5 0 0 0 0 0 0 0 0 0;}

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Verdana;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p

        {mso-style-priority:99;

        mso-margin-top-alt:auto;

        margin-right:0cm;

        mso-margin-bottom-alt:auto;

        margin-left:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0cm;

        margin-right:0cm;

        margin-bottom:0cm;

        margin-left:36.0pt;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

span.E-MailFormatvorlage18

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:70.85pt 70.85pt 2.0cm 70.85pt;}

div.WordSection1

        {page:WordSection1;}

/* List Definitions */

@list l0

        {mso-list-id:682976410;

        mso-list-type:hybrid;

        mso-list-template-ids:1019897014 -194066952 134676483 134676485 134676481 134676483 134676485 134676481 134676483 134676485;}

@list l0:level1

        {mso-level-start-at:0;

        mso-level-number-format:bullet;

        mso-level-text:-;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:"Calibri",sans-serif;

        mso-fareast-font-family:Calibri;}

@list l0:level2

        {mso-level-number-format:bullet;

        mso-level-text:o;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:"Courier New";}

@list l0:level3

        {mso-level-number-format:bullet;

        mso-level-text:;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:Wingdings;}

@list l0:level4

        {mso-level-number-format:bullet;

        mso-level-text:;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:Symbol;}

@list l0:level5

        {mso-level-number-format:bullet;

        mso-level-text:o;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:"Courier New";}

@list l0:level6

        {mso-level-number-format:bullet;

        mso-level-text:;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:Wingdings;}

@list l0:level7

        {mso-level-number-format:bullet;

        mso-level-text:;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:Symbol;}

@list l0:level8

        {mso-level-number-format:bullet;

        mso-level-text:o;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:"Courier New";}

@list l0:level9

        {mso-level-number-format:bullet;

        mso-level-text:;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;

        font-family:Wingdings;}

ol

        {margin-bottom:0cm;}

ul

        {margin-bottom:0cm;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="DE-CH" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">One of our customers (Swiss National Bank) mandates the use of SSL in their internal LAN, even for DB connections.  <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Using anything but SSL is an insecure mode of communication, even in LAN.

<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">RSA/DSA Accepted key-length is 2048 bit, recommended is 3072, ECC is 160 Bit, recommended 256.

<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Only latest version of OpenSSL allowed

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Accepted TLS 1.1+, recommended TLS 1.2+

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">SSL Version 3.0 or older are explicitly forbidden

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Sha-1 is disallowed, sha2/3 accepted @ hash length 256 Bit

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Extended Validation certificates have to be used<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Wildcards in fully qualified names not allowed

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Accepted: CTR/CBC/CCM/EAX, recommended GCM

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">SSL accepted with forward secrecy Disabled, recommended Enabled

<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">         

</span></span></span><![endif]><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Recommended CryptRandom: /dev/random, /dev/urandom,

<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">as per IT Security Baseline 2017-07-20<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal"><b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Von:</span></b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> QGIS-Developer [mailto:qgis-developer-bounces@lists.osgeo.org]

<b>Im Auftrag von </b>Andreas Neumann<br>

<b>Gesendet:</b> Montag, 17. Juni 2019 09:05<br>

<b>An:</b> Matthias Kuhn <matthias@opengis.ch><br>

<b>Cc:</b> qgis-developer@lists.osgeo.org<br>

<b>Betreff:</b> Re: [QGIS-Developer] SSL Performance Overhead<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">Hi,<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">I would say, that the use of SSL should be encouraged if the connection goes through public networks. If the Postgis connection is within the company LAN I don't see a strong reason for enabling

 SSL, unless the company LAN is designed in an "unsafe" way, or if sensitive data must be hidden from other employees in the same company.<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">Personally, I never had good results (performance wise) if Postgis connections went through the public Internet, unless it is some "toy data".<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">For this reason, I usually used streaming replication to replicate Postgis, so it is as close as possible to the users who need the data. The streaming replication, if it goes through the public

 internet, of course should use SSL (or often it goes through an SSH tunnel).<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">Sorry, I don't have any data on the overhead of SSL connections though.<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">Andreas<o:p></o:p></span></p>

<p id="reply-intro"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">On 2019-06-17 08:48, Matthias Kuhn wrote:<o:p></o:p></span></p>

<blockquote style="border:none;border-left:solid #1010FF 1.5pt;padding:0cm 0cm 0cm 5.0pt;margin-left:0cm;margin-right:0cm">

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Hi,<br>

<br>

The documentation currently promises "massive speed-ups in PostGIS layer rendering" with SSL disabled. [<a href="https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection" target="_blank">1</a>]<br>

<br>

I find some references to performance cost of SSL but they should be compensated for with connection pooling which we use for quite some time already.<br>

<br>

Recently, the web is more and more encrypted - and that is very good! - so I think we should also start to encourage people to encrypt their SSL connections. Or at least certainly not discourage them from using encryption by promising performance benefits.<br>

<br>

Is there anyone who knows why this sentence was introduced? And if there is (still) an issue with performance when using SSL?<br>

<br>

Best regards<br>

<br>

Matthias<br>

<br>

[1] <a href="https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection" target="_blank">

https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection</a><br>

<br>

[2] <a href="https://github.com/qgis/QGIS-Documentation/pull/3840" target="_blank">https://github.com/qgis/QGIS-Documentation/pull/3840</a><br>

<br>

_______________________________________________<br>

QGIS-Developer mailing list<br>

<a href="mailto:QGIS-Developer@lists.osgeo.org">QGIS-Developer@lists.osgeo.org</a><br>

List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>

Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><o:p></o:p></span></p>

</div>

</blockquote>

<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

</div>

</body>

</html>