Commit e3bdb2d9 authored by Peter Eisentraut's avatar Peter Eisentraut

Set libpq sslcompression to off by default

Since SSL compression is no longer recommended, turn the default in
libpq from on to off.

OpenSSL 1.1.0 and many distribution packages already turn compression
off by default, so such a server won't accept compression anyway.  So
this will mainly affect users of older OpenSSL installations.

Also update the documentation to make clear that this setting is no
longer recommended.

Discussion: https://www.postgresql.org/message-id/flat/595cf3b1-4ffe-7f05-6f72-f72b7afa7993%402ndquadrant.com
parent 8a3d9425
...@@ -1438,19 +1438,28 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname ...@@ -1438,19 +1438,28 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<term><literal>sslcompression</literal></term> <term><literal>sslcompression</literal></term>
<listitem> <listitem>
<para> <para>
If set to 1 (default), data sent over SSL connections will be If set to 1, data sent over SSL connections will be compressed. If
compressed. set to 0, compression will be disabled. The default is 0. This
If set to 0, compression will be disabled (this requires parameter is ignored if a connection without SSL is made.
<productname>OpenSSL</productname> 1.0.0 or later).
This parameter is ignored if a connection without SSL is made,
or if the version of <productname>OpenSSL</productname> used does not support
it.
</para> </para>
<para>
SSL compression is nowadays considered insecure and its use is no
longer recommended. <productname>OpenSSL</productname> 1.1.0 disables
compression by default, and many operating system distributions
disable it in prior versions as well, so setting this parameter to on
will not have any effect if the server does not accept compression.
On the other hand, <productname>OpenSSL</productname> before 1.0.0
does not support disabling compression, so this parameter is ignored
with those versions, and whether compression is used depends on the
server.
</para>
<para> <para>
Compression uses CPU time, but can improve throughput if If security is not a primary concern, compression can improve
the network is the bottleneck. throughput if the network is the bottleneck. Disabling compression
Disabling compression can improve response time and throughput can improve response time and throughput if CPU performance is the
if CPU performance is the limiting factor. limiting factor.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { ...@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */ "SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)}, offsetof(struct pg_conn, sslmode)},
{"sslcompression", "PGSSLCOMPRESSION", "1", NULL, {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
"SSL-Compression", "", 1, "SSL-Compression", "", 1,
offsetof(struct pg_conn, sslcompression)}, offsetof(struct pg_conn, sslcompression)},
......
...@@ -1188,14 +1188,14 @@ initialize_SSL(PGconn *conn) ...@@ -1188,14 +1188,14 @@ initialize_SSL(PGconn *conn)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
/* /*
* If the OpenSSL version used supports it (from 1.0.0 on) and the user * Set compression option if the OpenSSL version used supports it (from
* requested it, disable SSL compression. * 1.0.0 on).
*/ */
#ifdef SSL_OP_NO_COMPRESSION #ifdef SSL_OP_NO_COMPRESSION
if (conn->sslcompression && conn->sslcompression[0] == '0') if (conn->sslcompression && conn->sslcompression[0] == '0')
{
SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
} else
SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
#endif #endif
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment