Re: Disable OpenSSL compression - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Disable OpenSSL compression
Date
Msg-id CABUevEyNaeKKDGQLnNZ2e09X+rez=nXdbE+xSiSApvTXHCd_ew@mail.gmail.com
Whole thread Raw
In response to Re: Disable OpenSSL compression  ("Albe Laurenz" <laurenz.albe@wien.gv.at>)
Responses Re: Disable OpenSSL compression
Re: Disable OpenSSL compression
List pgsql-hackers
On Wednesday, November 9, 2011, Albe Laurenz wrote:
Christopher Browne wrote:
>> I think that JDBC and Npgsql should also support disabling
compression.
>
> That's the *real* problem here...
>
> You're quite right that if we allow controlling this on the libpq
> side, it is surely desirable to allow controlling this via JDBC,
> Npgsql, and other mechanisms people may have around.
[...]
> With that series of complications, I wonder if maybe the right place
> to control this is pg_hba.conf.

I think that wouldn't work, because to query pg_hba.conf, you have to
know user and database, which come from the client side.
But the SSL negotiation takes place earlier, namely when the
connection is established.

Oh, right, that's going to be a problem doing it there.
 

> I wonder how many SSL parameters there are which would be worth trying
> to have available.  I expect we'd benefit from looking at all the
> relevant ones at once, so as to not have the problem of hacking "one
> more" into place and perhaps doing it a bit differently each time.

Sure, if anybody can think of any.  A quick look at
"man SSL_CTX_set_options" didn't show me any, but then OpenSSL's
documentation is very bad (the page does not even mention
SSL_OP_NO_COMPRESSION) and I am no SSL expert.

Oh yeah, their docs are. Um. Yeah, let's leave it at that.
 
I think the other one is to control which encryption options are available - but we already have a guc for that.


Is the following proposal acceptable:

- Add a GUC ssl_compression, defaulting to "on".
- Add a client option "sslcompression" and an environment variable
 PGSSLCOMPRESSION, defaulting to "1".

Seems like the reasonable thing, yes.
 

Compression will be disabled if either side refuses.

I assume OpenSSL takes care of this for us, right? We just have to set the flags on the connection?




--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: parallel make failure
Next
From: Greg Jaskiewicz
Date:
Subject: Re: 9.1.2 ?