Re: Disable OpenSSL compression

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Jeroen Vermeulen <jtv@xs4all.nl>, Albe Laurenz <laurenz.albe@wien.gv.at>, Marko Kreen <markokr@gmail.com>, pgsql-hackers@postgresql.org
Date: 2011-11-10T14:22:51Z
Lists: pgsql-hackers

On 11/08/2011 12:39 PM, Tom Lane wrote:
> Jeroen Vermeulen<jtv@xs4all.nl>  writes:
>> Another reason why I believe compression is often used with encryption
>> is to maximize information content per byte of data: harder to guess,
>> harder to crack.  Would that matter?
> Yes, it would.  There's a reason why the OpenSSL default is what it is.
>
> 			


An interesting data point on this is that RedHat's nss_compat_ossl 
package doesn't support SSL compression at all 
<http://fedoraproject.org/wiki/Nss_compat_ossl>, and it's supposed to be 
a path to FIPS 140 compliance: 
<http://fedoraproject.org/wiki/FedoraCryptoConsolidation>. The latter 
URL, incidentally, contains a lot of good information, and lays out many 
of the reasons why I'd like to see us support NSS as an alternative to 
OpenSSL, notwithstanding the supposed dirtiness of its API. I imagine 
this would be of interest to commercial Postgres vendors also.

cheers

andrew