Re: disable SSL compression?

Sun, Mar 11, 2018 at 12:36 AM, Peter Eisentraut <
peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:

> On 3/9/18 09:06, Magnus Hagander wrote:
> > What platform does that actually work out of the box on? I have
> > customers who actively want to use it (for compression, not security --
> > replication across limited and metered links), and the amount of
> > workarounds they have to put in place OS level to get it working is
> > increasingly complicated.
>
> It was disabled in OpenSSL 1.1.0:
>

I am not talking about the OpenSSL disabling it. It was disabled on most
*distributions* years ago, long before that commit. Which is why I'm still
curious as to what platform you actually got it enabled by default on...

Like the stuff here:
https://www.postgresql.org/message-id/flat/CAKwe89Cj7KQ3BZDoUXLF5KBZ8X6icKXHi2Y1mDzTut3PNrH2VA%40mail.gmail.com

*) CRIME protection: disable compression by default, even if OpenSSL is
> compiled with zlib enabled. Applications can still enable compression
> by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
> using the SSL_CONF library to configure compression.
> [Emilia Käsper]
>
> So for your purposes, you could add a server option to turn it back on.

Such a server option would also be useful for those users who are using
> OpenSSL <1.1.0 and want to turn off compression on the server side.
>
>
We'd probably have to put in the distribution specific workarounds like
mentioned above to make it actually useful for that.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>