On Thu, Mar 8, 2018 at 11:06 PM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > On 3/8/18 14:23, Claudio Freire wrote: >> On Thu, Mar 8, 2018 at 3:40 PM, Peter Eisentraut >> <peter.eisentr...@2ndquadrant.com> wrote: >>> It appears that SSL compression is nowadays deprecated as insecure. >>> Yet, it is still enabled by libpq by default, and there is no way to >>> disable it in the server. Should we make some changes here? Does >>> anyone know more about this? >> >> Even if libpq enables it, it has to be enabled both in the client and >> the server for it to work. >> >> OpenSSL disables the whole feature by default, and enabling it is >> rather cumbersome. The result is that, at least with OpenSSL, the >> server and client won't accept compression without extensive fiddling >> by the user. > > But however that may be, libpq appears to enable it by default. This is > what I get from psql: > > SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, > bits: 256, compression: on)
I don't get that: SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Even if I set OPENSSL_DEFAULT_ZLIB=1 on the client, I get the same. The serverside refuses.
