Re: disable SSL compression?
| От | Magnus Hagander |
|---|---|
| Тема | Re: disable SSL compression? |
| Дата | |
| Msg-id | CABUevEx9_P567Z-5UrdLM9LJ81A7E8F1yGud55GW_wqR6AFZdg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: disable SSL compression? (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>) |
| Ответы |
Re: disable SSL compression?
|
| Список | pgsql-hackers |
Sun, Mar 11, 2018 at 12:36 AM, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
On 3/9/18 09:06, Magnus Hagander wrote:
> What platform does that actually work out of the box on? I have
> customers who actively want to use it (for compression, not security --
> replication across limited and metered links), and the amount of
> workarounds they have to put in place OS level to get it working is
> increasingly complicated.
It was disabled in OpenSSL 1.1.0:
I am not talking about the OpenSSL disabling it. It was disabled on most *distributions* years ago, long before that commit. Which is why I'm still curious as to what platform you actually got it enabled by default on...
Like the stuff here: https://www.postgresql.org/message-id/flat/CAKwe89Cj7KQ3BZDoUXLF5KBZ8X6icKXHi2Y1mDzTut3PNrH2VA%40mail.gmail.com
*) CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression
by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
using the SSL_CONF library to configure compression.
[Emilia Käsper]
So for your purposes, you could add a server option to turn it back on.
Such a server option would also be useful for those users who are using
OpenSSL <1.1.0 and want to turn off compression on the server side.
We'd probably have to put in the distribution specific workarounds like mentioned above to make it actually useful for that.
В списке pgsql-hackers по дате отправления: