Re: disable SSL compression?

On Sun, Mar 11, 2018 at 2:05 PM, Peter Eisentraut <
peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:

> On 3/11/18 04:00, Magnus Hagander wrote:
> > I am not talking about the OpenSSL disabling it. It was disabled on most
> > *distributions* years ago, long before that commit. Which is why I'm
> > still curious as to what platform you actually got it enabled by default
> > on...
>
> Homebrew package
>
> > So for your purposes, you could add a server option to turn it back
> on.
> >
> > Such a server option would also be useful for those users who are
> using
> > OpenSSL <1.1.0 and want to turn off compression on the server side.
> >
> >
> > We'd probably have to put in the distribution specific workarounds like
> > mentioned above to make it actually useful for that.
>
> The change in the Debian package I found was to build without zlib at
> all. So no amount of turning it back on will help. Whereas the
> upstream change was just to make the default to be off. But anyway,
> this feature is clearly dying, so we probably shouldn't be trying very
> hard to keep it.
>
> My proposal is the attached patch that sets the default in libpq to off
> and adjusts the documentation a bit so it doesn't sound like we have
> missed the news altogether.
>
>
I think it's worth mentioning in the docs around "it's now considered
insecure" that it's still an option to use if compression is the main thing
one is looking for, rather than security. As in, it doesn't make it any
less secure than no ssl at all. (obviously not those words)

+1 otherwise.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>