sslcompression / PGSSLCOMPRESSION not behaving as documented?
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1]http://www.postgresql.org/docs/9.2/static/libpq-envars.html is
documented to default to on, but according to the banner when I connect
with psql, it's off. It's still off even if I explicitly set
PGSSLCOMPRESSION=1:
maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
psql (9.4.0, server 9.2.9)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits:
256, compression: off)
Type "help" for help.
Nothing interesting in the logs. As far as I can tell, my OpenSSL version
is recent enough to support this:
maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f144a25d000)
(is that the right way to check?)
I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas?
Thanks,
Maciek
[1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html
On 01/15/2015 01:02 PM, Maciek Sakrejda wrote:
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1]
is documented to default to on, but according to the banner when I
connect with psql, it's off. It's still off even if I explicitly set
PGSSLCOMPRESSION=1:maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost
psql (9.4.0, server 9.2.9)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384,
bits: 256, compression: off)
Type "help" for help.Nothing interesting in the logs. As far as I can tell, my OpenSSL
version is recent enough to support this:
Noticed you are using psql from 9.4 to connect to a 9.2 server.
You might want to try the 9.2 version of psql to see if that works?
maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f144a25d000)(is that the right way to check?)
I would use :
dpkg -l | grep openssl
Which on one of my 14.04 instances gives:
ii openssl 1.0.1f-1ubuntu2.8
I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas?
Thanks,
Maciek[1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Maciek Sakrejda <maciek@heroku.com> writes:
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1] is
documented to default to on, but according to the banner when I connect
with psql, it's off.
Possibly you have the same type of problem mentioned here:
/messages/by-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com
although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.
regards, tom lane
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 01/16/2015 08:30 AM, Tom Lane wrote:
Maciek Sakrejda <maciek@heroku.com> writes:
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1] is
documented to default to on, but according to the banner when I connect
with psql, it's off.Possibly you have the same type of problem mentioned here:
/messages/by-id/CABUevEytxEQtbMeuKpJ8tYjeeB37mzDQ7BASzEZN6EgcGrdZxA@mail.gmail.com
Yes that would seem to be the issue:
https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
openssl (1.0.1e-3ubuntu1)
Disable compression to avoid CRIME systemwide (CVE-2012-4929).
although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.regards, tom lane
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Fri, Jan 16, 2015 at 8:41 AM, Adrian Klaver <adrian.klaver@aklaver.com>
wrote:
On 01/16/2015 08:30 AM, Tom Lane wrote:
Maciek Sakrejda <maciek@heroku.com> writes:
I'm having a hard time getting SSL compression working (or even figuring
out why it's not working) with my local Postgres server. The setting [1]
is
documented to default to on, but according to the banner when I connect
with psql, it's off.Possibly you have the same type of problem mentioned here:
/messages/by-id/CABUevEytxEQtbMeuKpJ8tYjeeB37m
zDQ7BASzEZN6EgcGrdZxA@mail.gmail.comYes that would seem to be the issue:
https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
openssl (1.0.1e-3ubuntu1)
Disable compression to avoid CRIME systemwide (CVE-2012-4929).
although Ubuntu may well have done it a bit differently than Red Hat,
ie the way to override openssl's default behavior might be different.regards, tom lane
There's been a few reports on this now. Perhaps we should add a note to the
docs (not necessarily saying how to fix it, as it may differ, but a note
saying that many distributions changed the way this is handled and that you
might need to set an external override)?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
There's been a few reports on this now. Perhaps we should add a note to the
docs (not necessarily saying how to fix it, as it may differ, but a note
saying that many distributions changed the way this is handled and that you
might need to set an external override)?
Seems reasonable.
regards, tom lane
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Thanks, everyone. That seems to be it. I still haven't gotten it to work (I
tried setting OPENSSL_DEFAULT_ZLIB=true in
/etc/postgresql/9.2/main/environment and restarting the server, then adding
the same env var when connecting with the client), but now that I know
where the problem is, I think I can work through it.
On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net>
wrote:
There's been a few reports on this now. Perhaps we should add a note to
the docs (not necessarily saying how to fix it, as it may differ, but a
note saying that many distributions changed the way this is handled and
that you might need to set an external override)?
That would definitely have helped me, yes. I'd submit a doc patch, but I'm
not sure what the right language would be here. Are there other similar
caveats documented elsewhere I could crib from?
On 01/16/2015 10:34 AM, Maciek Sakrejda wrote:
Thanks, everyone. That seems to be it. I still haven't gotten it to work
(I tried setting OPENSSL_DEFAULT_ZLIB=true in
/etc/postgresql/9.2/main/environment and restarting the server, then
adding the same env var when connecting with the client), but now that I
know where the problem is, I think I can work through it.
I think environment is for the PG specific env variables that
postmaster/postgres understands:
http://www.postgresql.org/docs/9.2/interactive/app-postgres.html
OPENSSL_DEFAULT_ZLIB is a system env variable, you will need to set in
the shell.
On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander <magnus@hagander.net
<mailto:magnus@hagander.net>> wrote:There's been a few reports on this now. Perhaps we should add a note
to the docs (not necessarily saying how to fix it, as it may differ,
but a note saying that many distributions changed the way this is
handled and that you might need to set an external override)?That would definitely have helped me, yes. I'd submit a doc patch, but
I'm not sure what the right language would be here. Are there other
similar caveats documented elsewhere I could crib from?
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote:
Yes that would seem to be the issue:
https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog
openssl (1.0.1e-3ubuntu1)
Disable compression to avoid CRIME systemwide (CVE-2012-4929).
FWIW, it's likely that the next version of TLS (version 1.3, see[1]https://github.com/tlswg/tls13-spec -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/)
will no longer support compression at all. The concensus appears to be
that this is the wrong level to be applying compression.
Since the only way to get compression currently in Postgres is via TLS,
perhaps we should look at supporting compression natively in future
protocol versions.
It will take a while for TLS 1.3 to be deployed so there's time, but
PostgreSQL protocol revisions go at a similar pace.
Have a nice day,
[1]: https://github.com/tlswg/tls13-spec -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
He who writes carelessly confesses thereby at the very outset that he does
not attach much importance to his own thoughts.
-- Arthur Schopenhauer
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com> wrote:
Thanks, everyone. That seems to be it. I still haven't gotten it to work (I
tried setting OPENSSL_DEFAULT_ZLIB=true in
/etc/postgresql/9.2/main/environment and restarting the server, then adding
the same env var when connecting with the client), but now that I know where
the problem is, I think I can work through it.
Did you ever get it to work on Ubuntu? If so, what did you have to do?
OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It
is suggested it should work on earlier versions
(http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it
on newer versions.
Cheers,
Jeff
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Thu, Feb 18, 2016 at 11:37 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda <maciek@heroku.com>
wrote:Thanks, everyone. That seems to be it. I still haven't gotten it to work
(I
tried setting OPENSSL_DEFAULT_ZLIB=true in
/etc/postgresql/9.2/main/environment and restarting the server, thenadding
the same env var when connecting with the client), but now that I know
where
the problem is, I think I can work through it.
Did you ever get it to work on Ubuntu? If so, what did you have to do?
OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It
is suggested it should work on earlier versions
(http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it
on newer versions.
I can confirm that this env var has the expected effect on Ubuntu 12.04,
but newer versions such 14.04 come with OpenSSL complied without zlib
altogether, so there is no way to enable this short of recompiling the
openssl lib, unfortunately.
--
Alex