Configuring SSL Encryption¶
SSL is enabled by default when you create an RDS for PostgreSQL DB instance and cannot be disabled after the instance is created. SSL encryption ensures that all communications between a client and server are encrypted, preventing data leakage and tampering and ensuring data integrity.
Impact of SSL Encryption on Database Performance¶
Enabling SSL reduces the read-only and read/write performance of your instance by about 20%.
The impact varies depending on the service model. SSL encryption has little impact on database performance if there are complex SQL statements being executed because the execution of such statements takes much time. But SSL encryption will decrease the performance if simple SQL statements are being executed because the execution is fast.
Checking Whether SSL Is Enabled on the Server¶
By default, SSL is enabled on the RDS for PostgreSQL instance server. You can log in to the instance and run the following SQL command to check whether SSL is enabled:
show ssl;
If the ssl value is on, SSL is enabled on the server.
If the ssl value is off, SSL is disabled on the server.
Note
SSL is enabled on the server by default and cannot be disabled.
Checking Whether SSL Is Enabled on the Client¶
You can check whether the client uses SSL encryption in either of the following ways:
Check whether the following information is displayed when you use psql to connect to the DB instance:
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
protocol indicates the SSL connection protocol, which is TLSv1.2.
cipher indicates the encryption algorithm used for SSL connection, which is ECDHE-RSA-AES256-GCM-SHA384.
bits indicates the key length, which is 256 bits.
Query the pg_stat_ssl view to check whether the client uses SSL connection. If yes, corresponding connection information is displayed in the view.
SELECT * FROM pg_stat_ssl;
This query returns the statistics of all current SSL connections, including the process ID, client IP address, SSL protocol version, SSL encryption algorithm, and validity and expiration date of the client certificate. If the client uses SSL connection, you can view the related information in this view.