Re: disable SSL compression?

On 3/9/18 09:06, Magnus Hagander wrote:
> What platform does that actually work out of the box on? I have
> customers who actively want to use it (for compression, not security --
> replication across limited and metered links), and the amount of
> workarounds they have to put in place OS level to get it working is
> increasingly complicated.

It was disabled in OpenSSL 1.1.0:

  *) CRIME protection: disable compression by default, even if OpenSSL is
     compiled with zlib enabled. Applications can still enable compression
     by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
     using the SSL_CONF library to configure compression.
     [Emilia Käsper]

So for your purposes, you could add a server option to turn it back on.

Such a server option would also be useful for those users who are using
OpenSSL <1.1.0 and want to turn off compression on the server side.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services