Thread: sslcompression / PGSSLCOMPRESSION not behaving as documented?

sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Maciek Sakrejda
Date:
I'm having a hard time getting SSL compression working (or even figuring out why it's not working) with my local Postgres server. The setting [1] is documented to default to on, but according to the banner when I connect with psql, it's off. It's still off even if I explicitly set PGSSLCOMPRESSION=1:

maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
psql (9.4.0, server 9.2.9)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

Nothing interesting in the logs. As far as I can tell, my OpenSSL version is recent enough to support this:

maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres  | grep ssl
    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f144a25d000)

(is that the right way to check?)

I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas?

Thanks,
Maciek

Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Adrian Klaver
Date:
On 01/15/2015 01:02 PM, Maciek Sakrejda wrote:
> I'm having a hard time getting SSL compression working (or even figuring
> out why it's not working) with my local Postgres server. The setting [1]
> is documented to default to on, but according to the banner when I
> connect with psql, it's off. It's still off even if I explicitly set
> PGSSLCOMPRESSION=1:
>
> maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
> psql (9.4.0, server 9.2.9)
> SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384,
> bits: 256, compression: off)
> Type "help" for help.
>
> Nothing interesting in the logs. As far as I can tell, my OpenSSL
> version is recent enough to support this:

Noticed you are using psql from 9.4 to connect to a 9.2 server.

You might want to try the 9.2 version of psql to see if that works?

>
> maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres  | grep ssl
>      libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
> (0x00007f144a25d000)
>
> (is that the right way to check?)

I would use :

dpkg -l | grep openssl

Which on one of my 14.04 instances gives:

ii  openssl                          1.0.1f-1ubuntu2.8

>
> I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas?
>
> Thanks,
> Maciek
>
> [1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html


--
Adrian Klaver
adrian.klaver@aklaver.com


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Tom Lane
Date:
Maciek Sakrejda <maciek@heroku.com> writes:
> I'm having a hard time getting SSL compression working (or even figuring
> out why it's not working) with my local Postgres server. The setting [1] is
> documented to default to on, but according to the banner when I connect
> with psql, it's off.

Possibly you have the same type of problem mentioned here:

http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com

although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.

            regards, tom lane


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Adrian Klaver
Date:
On 01/16/2015 08:30 AM, Tom Lane wrote:
> Maciek Sakrejda <maciek@heroku.com> writes:
>> I'm having a hard time getting SSL compression working (or even figuring
>> out why it's not working) with my local Postgres server. The setting [1] is
>> documented to default to on, but according to the banner when I connect
>> with psql, it's off.
>
> Possibly you have the same type of problem mentioned here:
>
> http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com

Yes that would seem to be the issue:

https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog

openssl (1.0.1e-3ubuntu1)

Disable compression to avoid CRIME systemwide (CVE-2012-4929).


>
> although Ubuntu may well have done it a bit differently than Red Hat,
> ie the way to override openssl's default behavior might be different.
>
>             regards, tom lane
>
>


--
Adrian Klaver
adrian.klaver@aklaver.com


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Magnus Hagander
Date:
On Fri, Jan 16, 2015 at 8:41 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 01/16/2015 08:30 AM, Tom Lane wrote:
Maciek Sakrejda <maciek@heroku.com> writes:
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1] is
documented to default to on, but according to the banner when I connect
with psql, it's off.

Possibly you have the same type of problem mentioned here:

http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com

Yes that would seem to be the issue:

https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog

openssl (1.0.1e-3ubuntu1)

Disable compression to avoid CRIME systemwide (CVE-2012-4929).



although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.

                        regards, tom lane




There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)?

--

Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Tom Lane
Date:
Magnus Hagander <magnus@hagander.net> writes:
> There's been a few reports on this now. Perhaps we should add a note to the
> docs (not necessarily saying how to fix it, as it may differ, but a note
> saying that many distributions changed the way this is handled and that you
> might need to set an external override)?

Seems reasonable.

            regards, tom lane


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Maciek Sakrejda
Date:
Thanks, everyone. That seems to be it. I still haven't gotten it to work (I tried setting OPENSSL_DEFAULT_ZLIB=true in /etc/postgresql/9.2/main/environment and restarting the server, then adding the same env var when connecting with the client), but now that I know where the problem is, I think I can work through it.

On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net> wrote:
There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)?

That would definitely have helped me, yes. I'd submit a doc patch, but I'm not sure what the right language would be here. Are there other similar caveats documented elsewhere I could crib from?

Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Adrian Klaver
Date:
On 01/16/2015 10:34 AM, Maciek Sakrejda wrote:
> Thanks, everyone. That seems to be it. I still haven't gotten it to work
> (I tried setting OPENSSL_DEFAULT_ZLIB=true in
> /etc/postgresql/9.2/main/environment and restarting the server, then
> adding the same env var when connecting with the client), but now that I
> know where the problem is, I think I can work through it.

I think environment is for the PG specific env variables that
postmaster/postgres understands:

http://www.postgresql.org/docs/9.2/interactive/app-postgres.html


OPENSSL_DEFAULT_ZLIB is a system env variable, you will need to set in
the shell.

>
> On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net
> <mailto:magnus@hagander.net>> wrote:
>
>     There's been a few reports on this now. Perhaps we should add a note
>     to the docs (not necessarily saying how to fix it, as it may differ,
>     but a note saying that many distributions changed the way this is
>     handled and that you might need to set an external override)?
>
>
> That would definitely have helped me, yes. I'd submit a doc patch, but
> I'm not sure what the right language would be here. Are there other
> similar caveats documented elsewhere I could crib from?


--
Adrian Klaver
adrian.klaver@aklaver.com


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Martijn van Oosterhout
Date:
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote:
> Yes that would seem to be the issue:
>
> https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
>
> openssl (1.0.1e-3ubuntu1)
>
> Disable compression to avoid CRIME systemwide (CVE-2012-4929).

FWIW, it's likely that the next version of TLS (version 1.3, see[1])
will no longer support compression at all.  The concensus appears to be
that this is the wrong level to be applying compression.

Since the only way to get compression currently in Postgres is via TLS,
perhaps we should look at supporting compression natively in future
protocol versions.

It will take a while for TLS 1.3 to be deployed so there's time, but
PostgreSQL protocol revisions go at a similar pace.

Have a nice day,

[1] https://github.com/tlswg/tls13-spec
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
   -- Arthur Schopenhauer

Attachment

Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Martijn van Oosterhout
Date:
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote:
> Yes that would seem to be the issue:
>
> https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
>
> openssl (1.0.1e-3ubuntu1)
>
> Disable compression to avoid CRIME systemwide (CVE-2012-4929).

FWIW, it's likely that the next version of TLS (version 1.3, see[1])
will no longer support compression at all.  The concensus appears to be
that this is the wrong level to be applying compression.

Since the only way to get compression currently in Postgres is via TLS,
perhaps we should look at supporting compression natively in future
protocol versions.

It will take a while for TLS 1.3 to be deployed so there's time, but
PostgreSQL protocol revisions go at a similar pace.

Have a nice day,

[1] https://github.com/tlswg/tls13-spec
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
   -- Arthur Schopenhauer

Attachment

Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
Jeff Janes
Date:
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com> wrote:
> Thanks, everyone. That seems to be it. I still haven't gotten it to work (I
> tried setting OPENSSL_DEFAULT_ZLIB=true in
> /etc/postgresql/9.2/main/environment and restarting the server, then adding
> the same env var when connecting with the client), but now that I know where
> the problem is, I think I can work through it.

Did you ever get it to work on Ubuntu?  If so, what did you have to do?

OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04.  It
is suggested it should work on earlier versions
(http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it
on newer versions.

Cheers,

Jeff


Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?

From
"Shulgin, Oleksandr"
Date:
On Thu, Feb 18, 2016 at 11:37 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com> wrote:
> Thanks, everyone. That seems to be it. I still haven't gotten it to work (I
> tried setting OPENSSL_DEFAULT_ZLIB=true in
> /etc/postgresql/9.2/main/environment and restarting the server, then adding
> the same env var when connecting with the client), but now that I know where
> the problem is, I think I can work through it.

Did you ever get it to work on Ubuntu?  If so, what did you have to do?

OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04.  It
is suggested it should work on earlier versions
(http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it
on newer versions.

I can confirm that this env var has the expected effect on Ubuntu 12.04, but newer versions such 14.04 come with OpenSSL complied without zlib altogether, so there is no way to enable this short of recompiling the openssl lib, unfortunately.

--
Alex