Set libpq sslcompression to off by default

Since SSL compression is no longer recommended, turn the default in
libpq from on to off.

OpenSSL 1.1.0 and many distribution packages already turn compression
off by default, so such a server won't accept compression anyway.  So
this will mainly affect users of older OpenSSL installations.

Also update the documentation to make clear that this setting is no
longer recommended.

Discussion: https://www.postgresql.org/message-id/flat/595cf3b1-4ffe-7f05-6f72-f72b7afa7993%402ndquadrant.com

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index da9421486b443d04807db0ec17dd6dd3575384ec..1fd5dd9fca6c41938b745bc3b78159b320f9e842 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1438,19 +1438,28 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcompression</literal></term>
       <listitem>
        <para>
-        If set to 1 (default), data sent over SSL connections will be
-        compressed.
-        If set to 0, compression will be disabled (this requires
-        <productname>OpenSSL</productname> 1.0.0 or later).
-        This parameter is ignored if a connection without SSL is made,
-        or if the version of <productname>OpenSSL</productname> used does not support
-        it.
+        If set to 1, data sent over SSL connections will be compressed.  If
+        set to 0, compression will be disabled.  The default is 0.  This
+        parameter is ignored if a connection without SSL is made.
        </para>
+
+       <para>
+        SSL compression is nowadays considered insecure and its use is no
+        longer recommended.  <productname>OpenSSL</productname> 1.1.0 disables
+        compression by default, and many operating system distributions
+        disable it in prior versions as well, so setting this parameter to on
+        will not have any effect if the server does not accept compression.
+        On the other hand, <productname>OpenSSL</productname> before 1.0.0
+        does not support disabling compression, so this parameter is ignored
+        with those versions, and whether compression is used depends on the
+        server.
+       </para>
+
        <para>
-        Compression uses CPU time, but can improve throughput if
-        the network is the bottleneck.
-        Disabling compression can improve response time and throughput
-        if CPU performance is the limiting factor.
+        If security is not a primary concern, compression can improve
+        throughput if the network is the bottleneck.  Disabling compression
+        can improve response time and throughput if CPU performance is the
+        limiting factor.
        </para>
       </listitem>
      </varlistentry>

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 77eebb0ba13dc6c7590ec6e6baba9dfb1e682529..39c19998c2256412f0125f0d9fa26e87195b97bb 100644 (file)
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
                "SSL-Mode", "", 12,             /* sizeof("verify-full") == 12 */
        offsetof(struct pg_conn, sslmode)},
 
-       {"sslcompression", "PGSSLCOMPRESSION", "1", NULL,
+       {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
                "SSL-Compression", "", 1,
        offsetof(struct pg_conn, sslcompression)},
 

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 127122563c2cd50864c07501a0f558385b4bc438..1a35b30dbcdf9c47bb51d7f6d69e1bb669ba02f4 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1188,14 +1188,14 @@ initialize_SSL(PGconn *conn)
                SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
 
        /*
-        * If the OpenSSL version used supports it (from 1.0.0 on) and the user
-        * requested it, disable SSL compression.
+        * Set compression option if the OpenSSL version used supports it (from
+        * 1.0.0 on).
         */
 #ifdef SSL_OP_NO_COMPRESSION
        if (conn->sslcompression && conn->sslcompression[0] == '0')
-       {
                SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
-       }
+       else
+               SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
 #endif
 
        return 0;