Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite3bdb2d

Browse files
committed
Set libpq sslcompression to off by default
Since SSL compression is no longer recommended, turn the default inlibpq from on to off.OpenSSL 1.1.0 and many distribution packages already turn compressionoff by default, so such a server won't accept compression anyway. Sothis will mainly affect users of older OpenSSL installations.Also update the documentation to make clear that this setting is nolonger recommended.Discussion:https://www.postgresql.org/message-id/flat/595cf3b1-4ffe-7f05-6f72-f72b7afa7993%402ndquadrant.com
1 parent8a3d942 commite3bdb2d

File tree

3 files changed

+25
-16
lines changed

3 files changed

+25
-16
lines changed

‎doc/src/sgml/libpq.sgml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1438,19 +1438,28 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
14381438
<term><literal>sslcompression</literal></term>
14391439
<listitem>
14401440
<para>
1441-
If set to 1 (default), data sent over SSL connections will be
1442-
compressed.
1443-
If set to 0, compression will be disabled (this requires
1444-
<productname>OpenSSL</productname> 1.0.0 or later).
1445-
This parameter is ignored if a connection without SSL is made,
1446-
or if the version of <productname>OpenSSL</productname> used does not support
1447-
it.
1441+
If set to 1, data sent over SSL connections will be compressed. If
1442+
set to 0, compression will be disabled. The default is 0. This
1443+
parameter is ignored if a connection without SSL is made.
14481444
</para>
1445+
1446+
<para>
1447+
SSL compression is nowadays considered insecure and its use is no
1448+
longer recommended. <productname>OpenSSL</productname> 1.1.0 disables
1449+
compression by default, and many operating system distributions
1450+
disable it in prior versions as well, so setting this parameter to on
1451+
will not have any effect if the server does not accept compression.
1452+
On the other hand, <productname>OpenSSL</productname> before 1.0.0
1453+
does not support disabling compression, so this parameter is ignored
1454+
with those versions, and whether compression is used depends on the
1455+
server.
1456+
</para>
1457+
14491458
<para>
1450-
Compression uses CPU time, but can improve throughput if
1451-
the network is the bottleneck.
1452-
Disabling compressioncan improve response time and throughput
1453-
if CPU performance is thelimiting factor.
1459+
If security is not a primary concern, compression can improve
1460+
throughput ifthe network is the bottleneck. Disabling compression
1461+
can improve response time and throughput if CPU performance is the
1462+
limiting factor.
14541463
</para>
14551464
</listitem>
14561465
</varlistentry>

‎src/interfaces/libpq/fe-connect.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
279279
"SSL-Mode","",12,/* sizeof("verify-full") == 12 */
280280
offsetof(structpg_conn,sslmode)},
281281

282-
{"sslcompression","PGSSLCOMPRESSION","1",NULL,
282+
{"sslcompression","PGSSLCOMPRESSION","0",NULL,
283283
"SSL-Compression","",1,
284284
offsetof(structpg_conn,sslcompression)},
285285

‎src/interfaces/libpq/fe-secure-openssl.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1188,14 +1188,14 @@ initialize_SSL(PGconn *conn)
11881188
SSL_set_verify(conn->ssl,SSL_VERIFY_PEER,verify_cb);
11891189

11901190
/*
1191-
*Ifthe OpenSSL version used supports it (from 1.0.0 on) and the user
1192-
*requested it, disable SSL compression.
1191+
*Set compression option ifthe OpenSSL version used supports it (from
1192+
*1.0.0 on).
11931193
*/
11941194
#ifdefSSL_OP_NO_COMPRESSION
11951195
if (conn->sslcompression&&conn->sslcompression[0]=='0')
1196-
{
11971196
SSL_set_options(conn->ssl,SSL_OP_NO_COMPRESSION);
1198-
}
1197+
else
1198+
SSL_clear_options(conn->ssl,SSL_OP_NO_COMPRESSION);
11991199
#endif
12001200

12011201
return0;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp