Re: sslcompression / PGSSLCOMPRESSION not behaving as documented?
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Adrian Klaver <adrian.klaver@aklaver.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Maciek Sakrejda <maciek@heroku.com>,
"pgsql-general@postgresql.org" <pgsql-general@postgresql.org>
Date: 2015-01-16T17:22:36Z
Lists: pgsql-general
On Fri, Jan 16, 2015 at 8:41 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > On 01/16/2015 08:30 AM, Tom Lane wrote: > >> Maciek Sakrejda <maciek@heroku.com> writes: >> >>> I'm having a hard time getting SSL compression working (or even figuring >>> out why it's not working) with my local Postgres server. The setting [1] >>> is >>> documented to default to on, but according to the banner when I connect >>> with psql, it's off. >>> >> >> Possibly you have the same type of problem mentioned here: >> >> http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37m >> zDQ7BASzEZN6EgcGrdZxA@mail.gmail.com >> > > Yes that would seem to be the issue: > > https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog > > openssl (1.0.1e-3ubuntu1) > > Disable compression to avoid CRIME systemwide (CVE-2012-4929). > > > >> although Ubuntu may well have done it a bit differently than Red Hat, >> ie the way to override openssl's default behavior might be different. >> >> regards, tom lane >> >> >> There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/