On Wednesday, November 9, 2011, Albe Laurenz wrote:
Christopher Browne wrote:
>> I think that JDBC and Npgsql should also support disabling
compression.
>
> That's the *real* problem here...
>
> You're quite right that if we allow controlling this on the libpq
> side, it is surely desirable to allow controlling this via JDBC,
> Npgsql, and other mechanisms people may have around.
[...]
> With that series of complications, I wonder if maybe the right place
> to control this is pg_hba.conf.
I think that wouldn't work, because to query pg_hba.conf, you have to
know user and database, which come from the client side.
But the SSL negotiation takes place earlier, namely when the
connection is established.
Oh, right, that's going to be a problem doing it there.
> I wonder how many SSL parameters there are which would be worth trying
> to have available. I expect we'd benefit from looking at all the
> relevant ones at once, so as to not have the problem of hacking "one
> more" into place and perhaps doing it a bit differently each time.
Sure, if anybody can think of any. A quick look at
"man SSL_CTX_set_options" didn't show me any, but then OpenSSL's
documentation is very bad (the page does not even mention
SSL_OP_NO_COMPRESSION) and I am no SSL expert.
Oh yeah, their docs are. Um. Yeah, let's leave it at that.
I think the other one is to control which encryption options are available - but we already have a guc for that.
Is the following proposal acceptable:
- Add a GUC ssl_compression, defaulting to "on".
- Add a client option "sslcompression" and an environment variable
PGSSLCOMPRESSION, defaulting to "1".
Seems like the reasonable thing, yes.
Compression will be disabled if either side refuses.
I assume OpenSSL takes care of this for us, right? We just have to set the flags on the connection?
--
Magnus Hagander
Me:
http://www.hagander.net/ Work:
http://www.redpill-linpro.com/