Thread: sslcompression / PGSSLCOMPRESSION not behaving as documented?
I'm having a hard time getting SSL compression working (or even figuring out why it's not working) with my local Postgres server. The setting [1] is documented to default to on, but according to the banner when I connect with psql, it's off. It's still off even if I explicitly set PGSSLCOMPRESSION=1:
maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
psql (9.4.0, server 9.2.9)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f144a25d000)
maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
psql (9.4.0, server 9.2.9)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
Nothing interesting in the logs. As far as I can tell, my OpenSSL version is recent enough to support this:
maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f144a25d000)
(is that the right way to check?)
I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas?
Thanks,
Maciek
Thanks,
Maciek
On 01/15/2015 01:02 PM, Maciek Sakrejda wrote: > I'm having a hard time getting SSL compression working (or even figuring > out why it's not working) with my local Postgres server. The setting [1] > is documented to default to on, but according to the banner when I > connect with psql, it's off. It's still off even if I explicitly set > PGSSLCOMPRESSION=1: > > maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost > psql (9.4.0, server 9.2.9) > SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, > bits: 256, compression: off) > Type "help" for help. > > Nothing interesting in the logs. As far as I can tell, my OpenSSL > version is recent enough to support this: Noticed you are using psql from 9.4 to connect to a 9.2 server. You might want to try the 9.2 version of psql to see if that works? > > maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl > libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 > (0x00007f144a25d000) > > (is that the right way to check?) I would use : dpkg -l | grep openssl Which on one of my 14.04 instances gives: ii openssl 1.0.1f-1ubuntu2.8 > > I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas? > > Thanks, > Maciek > > [1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html -- Adrian Klaver adrian.klaver@aklaver.com
Maciek Sakrejda <maciek@heroku.com> writes: > I'm having a hard time getting SSL compression working (or even figuring > out why it's not working) with my local Postgres server. The setting [1] is > documented to default to on, but according to the banner when I connect > with psql, it's off. Possibly you have the same type of problem mentioned here: http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com although Ubuntu may well have done it a bit differently than Red Hat, ie the way to override openssl's default behavior might be different. regards, tom lane
On 01/16/2015 08:30 AM, Tom Lane wrote: > Maciek Sakrejda <maciek@heroku.com> writes: >> I'm having a hard time getting SSL compression working (or even figuring >> out why it's not working) with my local Postgres server. The setting [1] is >> documented to default to on, but according to the banner when I connect >> with psql, it's off. > > Possibly you have the same type of problem mentioned here: > > http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com Yes that would seem to be the issue: https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog openssl (1.0.1e-3ubuntu1) Disable compression to avoid CRIME systemwide (CVE-2012-4929). > > although Ubuntu may well have done it a bit differently than Red Hat, > ie the way to override openssl's default behavior might be different. > > regards, tom lane > > -- Adrian Klaver adrian.klaver@aklaver.com
On Fri, Jan 16, 2015 at 8:41 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 01/16/2015 08:30 AM, Tom Lane wrote:Maciek Sakrejda <maciek@heroku.com> writes:I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1] is
documented to default to on, but according to the banner when I connect
with psql, it's off.
Possibly you have the same type of problem mentioned here:
http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com
Yes that would seem to be the issue:
https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
openssl (1.0.1e-3ubuntu1)
Disable compression to avoid CRIME systemwide (CVE-2012-4929).
although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.
regards, tom lane
Magnus Hagander <magnus@hagander.net> writes: > There's been a few reports on this now. Perhaps we should add a note to the > docs (not necessarily saying how to fix it, as it may differ, but a note > saying that many distributions changed the way this is handled and that you > might need to set an external override)? Seems reasonable. regards, tom lane
Thanks, everyone. That seems to be it. I still haven't gotten it to work (I tried setting OPENSSL_DEFAULT_ZLIB=true in /etc/postgresql/9.2/main/environment and restarting the server, then adding the same env var when connecting with the client), but now that I know where the problem is, I think I can work through it.
On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net> wrote:
There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)?
On 01/16/2015 10:34 AM, Maciek Sakrejda wrote: > Thanks, everyone. That seems to be it. I still haven't gotten it to work > (I tried setting OPENSSL_DEFAULT_ZLIB=true in > /etc/postgresql/9.2/main/environment and restarting the server, then > adding the same env var when connecting with the client), but now that I > know where the problem is, I think I can work through it. I think environment is for the PG specific env variables that postmaster/postgres understands: http://www.postgresql.org/docs/9.2/interactive/app-postgres.html OPENSSL_DEFAULT_ZLIB is a system env variable, you will need to set in the shell. > > On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net > <mailto:magnus@hagander.net>> wrote: > > There's been a few reports on this now. Perhaps we should add a note > to the docs (not necessarily saying how to fix it, as it may differ, > but a note saying that many distributions changed the way this is > handled and that you might need to set an external override)? > > > That would definitely have helped me, yes. I'd submit a doc patch, but > I'm not sure what the right language would be here. Are there other > similar caveats documented elsewhere I could crib from? -- Adrian Klaver adrian.klaver@aklaver.com
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote: > Yes that would seem to be the issue: > > https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog > > openssl (1.0.1e-3ubuntu1) > > Disable compression to avoid CRIME systemwide (CVE-2012-4929). FWIW, it's likely that the next version of TLS (version 1.3, see[1]) will no longer support compression at all. The concensus appears to be that this is the wrong level to be applying compression. Since the only way to get compression currently in Postgres is via TLS, perhaps we should look at supporting compression natively in future protocol versions. It will take a while for TLS 1.3 to be deployed so there's time, but PostgreSQL protocol revisions go at a similar pace. Have a nice day, [1] https://github.com/tlswg/tls13-spec -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer
Attachment
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote: > Yes that would seem to be the issue: > > https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog > > openssl (1.0.1e-3ubuntu1) > > Disable compression to avoid CRIME systemwide (CVE-2012-4929). FWIW, it's likely that the next version of TLS (version 1.3, see[1]) will no longer support compression at all. The concensus appears to be that this is the wrong level to be applying compression. Since the only way to get compression currently in Postgres is via TLS, perhaps we should look at supporting compression natively in future protocol versions. It will take a while for TLS 1.3 to be deployed so there's time, but PostgreSQL protocol revisions go at a similar pace. Have a nice day, [1] https://github.com/tlswg/tls13-spec -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer
Attachment
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com> wrote: > Thanks, everyone. That seems to be it. I still haven't gotten it to work (I > tried setting OPENSSL_DEFAULT_ZLIB=true in > /etc/postgresql/9.2/main/environment and restarting the server, then adding > the same env var when connecting with the client), but now that I know where > the problem is, I think I can work through it. Did you ever get it to work on Ubuntu? If so, what did you have to do? OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It is suggested it should work on earlier versions (http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it on newer versions. Cheers, Jeff
On Thu, Feb 18, 2016 at 11:37 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com> wrote:
> Thanks, everyone. That seems to be it. I still haven't gotten it to work (I
> tried setting OPENSSL_DEFAULT_ZLIB=true in
> /etc/postgresql/9.2/main/environment and restarting the server, then adding
> the same env var when connecting with the client), but now that I know where
> the problem is, I think I can work through it.
Did you ever get it to work on Ubuntu? If so, what did you have to do?
OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It
is suggested it should work on earlier versions
(http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it
on newer versions.
I can confirm that this env var has the expected effect on Ubuntu 12.04, but newer versions such 14.04 come with OpenSSL complied without zlib altogether, so there is no way to enable this short of recompiling the openssl lib, unfortunately.
--
Alex