Commit 0ba71107 authored by Michael Paquier's avatar Michael Paquier

Revert changes for SSL compression in libpq

This partially reverts 096bbf7c and 9d2d4570, undoing the libpq changes as
it could cause breakages in distributions that share one single libpq
version across multiple major versions of Postgres for extensions and
applications linking to that.

Note that the backend is unchanged here, and it still disables SSL
compression while simplifying the underlying catalogs that tracked if
compression was enabled or not for a SSL connection.

Per discussion with Tom Lane and Daniel Gustafsson.

Discussion: https://postgr.es/m/YEbq15JKJwIX+S6m@paquier.xyz
parent 6540cc51
...@@ -163,11 +163,11 @@ ALTER SERVER testserver1 OPTIONS ( ...@@ -163,11 +163,11 @@ ALTER SERVER testserver1 OPTIONS (
keepalives_interval 'value', keepalives_interval 'value',
tcp_user_timeout 'value', tcp_user_timeout 'value',
-- requiressl 'value', -- requiressl 'value',
sslcompression 'value',
sslmode 'value', sslmode 'value',
sslcert 'value', sslcert 'value',
sslkey 'value', sslkey 'value',
sslrootcert 'value', sslrootcert 'value',
sslcompression 'value',
sslcrl 'value', sslcrl 'value',
--requirepeer 'value', --requirepeer 'value',
krbsrvname 'value', krbsrvname 'value',
......
...@@ -177,11 +177,11 @@ ALTER SERVER testserver1 OPTIONS ( ...@@ -177,11 +177,11 @@ ALTER SERVER testserver1 OPTIONS (
keepalives_interval 'value', keepalives_interval 'value',
tcp_user_timeout 'value', tcp_user_timeout 'value',
-- requiressl 'value', -- requiressl 'value',
sslcompression 'value',
sslmode 'value', sslmode 'value',
sslcert 'value', sslcert 'value',
sslkey 'value', sslkey 'value',
sslrootcert 'value', sslrootcert 'value',
sslcompression 'value',
sslcrl 'value', sslcrl 'value',
--requirepeer 'value', --requirepeer 'value',
krbsrvname 'value', krbsrvname 'value',
......
...@@ -1640,7 +1640,26 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname ...@@ -1640,7 +1640,26 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<term><literal>sslcompression</literal></term> <term><literal>sslcompression</literal></term>
<listitem> <listitem>
<para> <para>
Ignored (formerly, this specified whether to attempt SSL compression). If set to 1, data sent over SSL connections will be compressed. If
set to 0, compression will be disabled. The default is 0. This
parameter is ignored if a connection without SSL is made.
</para>
<para>
SSL compression is nowadays considered insecure and its use is no
longer recommended. <productname>OpenSSL</productname> 1.1.0 disables
compression by default, and many operating system distributions
disable it in prior versions as well, so setting this parameter to on
will not have any effect if the server does not accept compression.
<productname>PostgreSQL</productname> 14 disables compression
completely in the backend.
</para>
<para>
If security is not a primary concern, compression can improve
throughput if the network is the bottleneck. Disabling compression
can improve response time and throughput if CPU performance is the
limiting factor.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -2533,7 +2552,9 @@ const char *PQsslAttribute(const PGconn *conn, const char *attribute_name); ...@@ -2533,7 +2552,9 @@ const char *PQsslAttribute(const PGconn *conn, const char *attribute_name);
<term><literal>compression</literal></term> <term><literal>compression</literal></term>
<listitem> <listitem>
<para> <para>
SSL compression is no longer supported, always returns "off". If SSL compression is in use, returns the name of the compression
algorithm, or "on" if compression is used but the algorithm is
not known. If compression is not in use, returns "off".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -7168,6 +7189,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) ...@@ -7168,6 +7189,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<indexterm>
<primary><envar>PGSSLCOMPRESSION</envar></primary>
</indexterm>
<envar>PGSSLCOMPRESSION</envar> behaves the same as the <xref
linkend="libpq-connect-sslcompression"/> connection parameter.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<indexterm> <indexterm>
......
...@@ -3509,6 +3509,7 @@ printSSLInfo(void) ...@@ -3509,6 +3509,7 @@ printSSLInfo(void)
const char *protocol; const char *protocol;
const char *cipher; const char *cipher;
const char *bits; const char *bits;
const char *compression;
if (!PQsslInUse(pset.db)) if (!PQsslInUse(pset.db))
return; /* no SSL */ return; /* no SSL */
...@@ -3516,11 +3517,13 @@ printSSLInfo(void) ...@@ -3516,11 +3517,13 @@ printSSLInfo(void)
protocol = PQsslAttribute(pset.db, "protocol"); protocol = PQsslAttribute(pset.db, "protocol");
cipher = PQsslAttribute(pset.db, "cipher"); cipher = PQsslAttribute(pset.db, "cipher");
bits = PQsslAttribute(pset.db, "key_bits"); bits = PQsslAttribute(pset.db, "key_bits");
compression = PQsslAttribute(pset.db, "compression");
printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"), printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
protocol ? protocol : _("unknown"), protocol ? protocol : _("unknown"),
cipher ? cipher : _("unknown"), cipher ? cipher : _("unknown"),
bits ? bits : _("unknown")); bits ? bits : _("unknown"),
(compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
} }
/* /*
......
...@@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = { ...@@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */ "SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)}, offsetof(struct pg_conn, sslmode)},
/* {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
* "sslcompression" is no longer used, but keep it present for backwards "SSL-Compression", "", 1,
* compatibility. offsetof(struct pg_conn, sslcompression)},
*/
{"sslcompression", NULL, NULL, NULL,
"SSL-Compression", "", 1, -1},
{"sslcert", "PGSSLCERT", NULL, NULL, {"sslcert", "PGSSLCERT", NULL, NULL,
"SSL-Client-Cert", "", 64, "SSL-Client-Cert", "", 64,
...@@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn) ...@@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn)
free(conn->sslcrl); free(conn->sslcrl);
if (conn->sslcrldir) if (conn->sslcrldir)
free(conn->sslcrldir); free(conn->sslcrldir);
if (conn->sslcompression)
free(conn->sslcompression);
if (conn->requirepeer) if (conn->requirepeer)
free(conn->requirepeer); free(conn->requirepeer);
if (conn->ssl_min_protocol_version) if (conn->ssl_min_protocol_version)
......
...@@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn) ...@@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn)
if (have_rootcert) if (have_rootcert)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
/* disable SSL compression */ /*
SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); * Set compression option if necessary.
*/
if (conn->sslcompression && conn->sslcompression[0] == '0')
SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
else
SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
return 0; return 0;
} }
...@@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) ...@@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
if (strcmp(attribute_name, "cipher") == 0) if (strcmp(attribute_name, "cipher") == 0)
return SSL_get_cipher(conn->ssl); return SSL_get_cipher(conn->ssl);
/*
* SSL compression is disabled, so even if connecting to an older server
* which still supports it, it will not be active.
*/
if (strcmp(attribute_name, "compression") == 0) if (strcmp(attribute_name, "compression") == 0)
return "off"; return SSL_get_current_compression(conn->ssl) ? "on" : "off";
if (strcmp(attribute_name, "protocol") == 0) if (strcmp(attribute_name, "protocol") == 0)
return SSL_get_version(conn->ssl); return SSL_get_version(conn->ssl);
......
...@@ -358,6 +358,7 @@ struct pg_conn ...@@ -358,6 +358,7 @@ struct pg_conn
char *keepalives_count; /* maximum number of TCP keepalive char *keepalives_count; /* maximum number of TCP keepalive
* retransmits */ * retransmits */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */ char *sslmode; /* SSL mode (require,prefer,allow,disable) */
char *sslcompression; /* SSL compression (0 or 1) */
char *sslkey; /* client key filename */ char *sslkey; /* client key filename */
char *sslcert; /* client certificate filename */ char *sslcert; /* client certificate filename */
char *sslpassword; /* client key file password */ char *sslpassword; /* client key file password */
......
...@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl') ...@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
} }
else else
{ {
plan tests => 101; plan tests => 100;
} }
#### Some configuration #### Some configuration
...@@ -157,13 +157,6 @@ test_connect_fails( ...@@ -157,13 +157,6 @@ test_connect_fails(
qr/root certificate file "invalid" does not exist/, qr/root certificate file "invalid" does not exist/,
"connect without server root cert sslmode=verify-full"); "connect without server root cert sslmode=verify-full");
# Test deprecated SSL parameters, still accepted for backwards
# compatibility.
test_connect_ok(
$common_connstr,
"sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
"connect with deprecated connection parameters");
# Try with wrong root cert, should fail. (We're using the client CA as the # Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.) # root, but the server's key is signed by the server CA.)
test_connect_fails($common_connstr, test_connect_fails($common_connstr,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment