Revert changes for SSL compression in libpq

This partially reverts 096bbf7 and 9d2d457, undoing the libpq changes as it could cause breakages in distributions that share one single libpq version across multiple major versions of Postgres for extensions and applications linking to that. Note that the backend is unchanged here, and it still disables SSL compression while simplifying the underlying catalogs that tracked if compression was enabled or not for a SSL connection. Per discussion with Tom Lane and Daniel Gustafsson. Discussion: https://postgr.es/m/YEbq15JKJwIX+S6m@paquier.xyz
author: Michael Paquier <michael@paquier.xyz> 2021-03-10 09:35:42 +0900
committer: Michael Paquier <michael@paquier.xyz> 2021-03-10 09:35:42 +0900
commit: 0ba71107efeeccde9158f47118f95043afdca0bb (patch)
tree: 88e76f41af9d3fe66ecee5b4d4bb552d1210bd67
parent: 6540cc517dd452874a4e0fb268aee9b92e5136c6 (diff)
download: postgresql-0ba71107efeeccde9158f47118f95043afdca0bb.tar.gz
postgresql-0ba71107efeeccde9158f47118f95043afdca0bb.zip
8 files changed, 55 insertions, 27 deletions
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index f17f3b6c294..0649b6b81cd 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -163,11 +163,11 @@ ALTER SERVER testserver1 OPTIONS (
 	keepalives_interval 'value',
 	tcp_user_timeout 'value',
 	-- requiressl 'value',
+	sslcompression 'value',
 	sslmode 'value',
 	sslcert 'value',
 	sslkey 'value',
 	sslrootcert 'value',
-	sslcompression 'value',
 	sslcrl 'value',
 	--requirepeer 'value',
 	krbsrvname 'value',
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index be5618f7592..2b525ea44a8 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -177,11 +177,11 @@ ALTER SERVER testserver1 OPTIONS (
 	keepalives_interval 'value',
 	tcp_user_timeout 'value',
 	-- requiressl 'value',
+	sslcompression 'value',
 	sslmode 'value',
 	sslcert 'value',
 	sslkey 'value',
 	sslrootcert 'value',
-	sslcompression 'value',
 	sslcrl 'value',
 	--requirepeer 'value',
 	krbsrvname 'value',
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 2e0c06102ee..910e9a81eaf 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1640,7 +1640,26 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcompression</literal></term>
       <listitem>
        <para>
-        Ignored (formerly, this specified whether to attempt SSL compression).
+        If set to 1, data sent over SSL connections will be compressed.  If
+        set to 0, compression will be disabled.  The default is 0.  This
+        parameter is ignored if a connection without SSL is made.
+       </para>
+
+       <para>
+        SSL compression is nowadays considered insecure and its use is no
+        longer recommended.  <productname>OpenSSL</productname> 1.1.0 disables
+        compression by default, and many operating system distributions
+        disable it in prior versions as well, so setting this parameter to on
+        will not have any effect if the server does not accept compression.
+        <productname>PostgreSQL</productname> 14 disables compression
+        completely in the backend.
+       </para>
+
+       <para>
+        If security is not a primary concern, compression can improve
+        throughput if the network is the bottleneck.  Disabling compression
+        can improve response time and throughput if CPU performance is the
+        limiting factor.
        </para>
       </listitem>
      </varlistentry>
@@ -2533,7 +2552,9 @@ const char *PQsslAttribute(const PGconn *conn, const char *attribute_name);
          <term><literal>compression</literal></term>
           <listitem>
            <para>
-            SSL compression is no longer supported, always returns "off".
+            If SSL compression is in use, returns the name of the compression
+            algorithm, or "on" if compression is used but the algorithm is
+            not known. If compression is not in use, returns "off".
            </para>
           </listitem>
          </varlistentry>
@@ -7171,6 +7192,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
     <listitem>
      <para>
       <indexterm>
+       <primary><envar>PGSSLCOMPRESSION</envar></primary>
+      </indexterm>
+      <envar>PGSSLCOMPRESSION</envar> behaves the same as the <xref
+      linkend="libpq-connect-sslcompression"/> connection parameter.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      <indexterm>
        <primary><envar>PGSSLCERT</envar></primary>
       </indexterm>
       <envar>PGSSLCERT</envar> behaves the same as the <xref
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 8d6970a4f34..c98e3d31d0c 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -3509,6 +3509,7 @@ printSSLInfo(void)
 	const char *protocol;
 	const char *cipher;
 	const char *bits;
+	const char *compression;
 
 	if (!PQsslInUse(pset.db))
 		return;					/* no SSL */
@@ -3516,11 +3517,13 @@ printSSLInfo(void)
 	protocol = PQsslAttribute(pset.db, "protocol");
 	cipher = PQsslAttribute(pset.db, "cipher");
 	bits = PQsslAttribute(pset.db, "key_bits");
+	compression = PQsslAttribute(pset.db, "compression");
 
-	printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"),
+	printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
 		   protocol ? protocol : _("unknown"),
 		   cipher ? cipher : _("unknown"),
-		   bits ? bits : _("unknown"));
+		   bits ? bits : _("unknown"),
+		   (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
 }
 
 /*
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index aeb64c5bca3..29054bad7b4 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"SSL-Mode", "", 12,		/* sizeof("verify-full") == 12 */
 	offsetof(struct pg_conn, sslmode)},
 
-	/*
-	 * "sslcompression" is no longer used, but keep it present for backwards
-	 * compatibility.
-	 */
-	{"sslcompression", NULL, NULL, NULL,
-	"SSL-Compression", "", 1, -1},
+	{"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
+		"SSL-Compression", "", 1,
+	offsetof(struct pg_conn, sslcompression)},
 
 	{"sslcert", "PGSSLCERT", NULL, NULL,
 		"SSL-Client-Cert", "", 64,
@@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn)
 		free(conn->sslcrl);
 	if (conn->sslcrldir)
 		free(conn->sslcrldir);
+	if (conn->sslcompression)
+		free(conn->sslcompression);
 	if (conn->requirepeer)
 		free(conn->requirepeer);
 	if (conn->ssl_min_protocol_version)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c88dd3a1183..0fa10a23b4a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn)
 	if (have_rootcert)
 		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
 
-	/* disable SSL compression */
-	SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+	/*
+	 * Set compression option if necessary.
+	 */
+	if (conn->sslcompression && conn->sslcompression[0] == '0')
+		SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+	else
+		SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
 
 	return 0;
 }
@@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
 	if (strcmp(attribute_name, "cipher") == 0)
 		return SSL_get_cipher(conn->ssl);
 
-	/*
-	 * SSL compression is disabled, so even if connecting to an older server
-	 * which still supports it, it will not be active.
-	 */
 	if (strcmp(attribute_name, "compression") == 0)
-		return "off";
+		return SSL_get_current_compression(conn->ssl) ? "on" : "off";
 
 	if (strcmp(attribute_name, "protocol") == 0)
 		return SSL_get_version(conn->ssl);
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0965c5ac511..adf149a76f9 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -358,6 +358,7 @@ struct pg_conn
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
+	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
 	char	   *sslcert;		/* client certificate filename */
 	char	   *sslpassword;	/* client key file password */
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index ee97f6f0697..bfada03d3eb 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
 }
 else
 {
-	plan tests => 101;
+	plan tests => 100;
 }
 
 #### Some configuration
@@ -157,13 +157,6 @@ test_connect_fails(
 	qr/root certificate file "invalid" does not exist/,
 	"connect without server root cert sslmode=verify-full");
 
-# Test deprecated SSL parameters, still accepted for backwards
-# compatibility.
-test_connect_ok(
-	$common_connstr,
-	"sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
-	"connect with deprecated connection parameters");
-
 # Try with wrong root cert, should fail. (We're using the client CA as the
 # root, but the server's key is signed by the server CA.)
 test_connect_fails($common_connstr,
author	Michael Paquier <michael@paquier.xyz>	2021-03-10 09:35:42 +0900
committer	Michael Paquier <michael@paquier.xyz>	2021-03-10 09:35:42 +0900
commit	0ba71107efeeccde9158f47118f95043afdca0bb (patch)
tree	88e76f41af9d3fe66ecee5b4d4bb552d1210bd67
parent	6540cc517dd452874a4e0fb268aee9b92e5136c6 (diff)
download	postgresql-0ba71107efeeccde9158f47118f95043afdca0bb.tar.gz postgresql-0ba71107efeeccde9158f47118f95043afdca0bb.zip