Re: disable SSL compression?

Peter Eisentraut Sun, 11 Mar 2018 06:06:31 -0700

On 3/11/18 04:00, Magnus Hagander wrote:
> I am not talking about the OpenSSL disabling it. It was disabled on most
> *distributions* years ago, long before that commit. Which is why I'm
> still curious as to what platform you actually got it enabled by default
> on...


Homebrew package

>     So for your purposes, you could add a server option to turn it back on.
> 
>     Such a server option would also be useful for those users who are using
>     OpenSSL <1.1.0 and want to turn off compression on the server side.
> 
> 
> We'd probably have to put in the distribution specific workarounds like
> mentioned above to make it actually useful for that. 

The change in the Debian package I found was to build without zlib at
all.  So no amount of turning it back on will help.  Whereas the
upstream change was just to make the default to be off.  But anyway,
this feature is clearly dying, so we probably shouldn't be trying very
hard to keep it.

My proposal is the attached patch that sets the default in libpq to off
and adjusts the documentation a bit so it doesn't sound like we have
missed the news altogether.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

From 42d7f920c2732b5ea47bffd7bc1dc03b36fb6d05 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pete...@gmx.net>
Date: Sun, 11 Mar 2018 08:53:33 -0400
Subject: [PATCH] Set libpq sslcompression to off by default

Since SSL compression is no longer recommended, turn the default in
libpq from on to off.

OpenSSL 1.1.0 and many distribution packages already turn compression
off by default, so such a server won't accept compression anyway.  So
this will mainly affect users of older OpenSSL installations.

Also update the documentation to make clear that this setting is no
longer recommended.
---
 doc/src/sgml/libpq.sgml                  | 24 +++++++++++++-----------
 src/interfaces/libpq/fe-connect.c        |  2 +-
 src/interfaces/libpq/fe-secure-openssl.c |  8 ++++----
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index da9421486b..18686bcad3 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1438,19 +1438,21 @@ <title>Parameter Key Words</title>
       <term><literal>sslcompression</literal></term>
       <listitem>
        <para>
-        If set to 1 (default), data sent over SSL connections will be
-        compressed.
-        If set to 0, compression will be disabled (this requires
-        <productname>OpenSSL</productname> 1.0.0 or later).
-        This parameter is ignored if a connection without SSL is made,
-        or if the version of <productname>OpenSSL</productname> used does not 
support
-        it.
+        If set to 1, data sent over SSL connections will be compressed.  If
+        set to 0, compression will be disabled.  The default is 0.  This
+        parameter is ignored if a connection without SSL is made.
        </para>
+
        <para>
-        Compression uses CPU time, but can improve throughput if
-        the network is the bottleneck.
-        Disabling compression can improve response time and throughput
-        if CPU performance is the limiting factor.
+        SSL compression is nowadays considered insecure and its use is no
+        longer recommended.  <productname>OpenSSL</productname> 1.1.0 disables
+        compression by default, and many operating system distributions
+        disable it in prior versions as well, so setting this parameter to on
+        will not have any effect if the server does not accept compression.
+        On the other hand, <productname>OpenSSL</productname> before 1.0.0
+        does not support disabling compression, so this parameter is ignored
+        with those versions, and whether compression is used depends on the
+        server.
        </para>
       </listitem>
      </varlistentry>
diff --git a/src/interfaces/libpq/fe-connect.c 
b/src/interfaces/libpq/fe-connect.c
index 77eebb0ba1..39c19998c2 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = 
{
                "SSL-Mode", "", 12,             /* sizeof("verify-full") == 12 
*/
        offsetof(struct pg_conn, sslmode)},
 
-       {"sslcompression", "PGSSLCOMPRESSION", "1", NULL,
+       {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
                "SSL-Compression", "", 1,
        offsetof(struct pg_conn, sslcompression)},
 
diff --git a/src/interfaces/libpq/fe-secure-openssl.c 
b/src/interfaces/libpq/fe-secure-openssl.c
index cade4e157c..25aa7a21bf 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1188,14 +1188,14 @@ initialize_SSL(PGconn *conn)
                SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
 
        /*
-        * If the OpenSSL version used supports it (from 1.0.0 on) and the user
-        * requested it, disable SSL compression.
+        * Set compression option if the OpenSSL version used supports it (from
+        * 1.0.0 on).
         */
 #ifdef SSL_OP_NO_COMPRESSION
        if (conn->sslcompression && conn->sslcompression[0] == '0')
-       {
                SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
-       }
+       else
+               SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
 #endif
 
        return 0;

base-commit: b6e132ddc8601c99ac5466792f6128ee859f4128
-- 
2.16.2

Re: disable SSL compression?

Reply via email to