On Thu, Feb 18, 2021 at 1:51 PM Daniel Gustafsson <dan...@yesql.se> wrote:
>
> A few years ago we discussed whether to disable SSL compression [0] which 
> ended
> up with it being off by default combined with a recommendation against it in
> the docs.
>
> OpenSSL themselves disabled SSL compression by default in 2016 in 1.1.0 with
> distros often having had it disabled for a long while before then.  Further,
> TLSv1.3 removes compression entirely on the protocol level mandating that only
> NULL compression is allowed in the ClientHello.  NSS, which is discussed in
> another thread, removed SSL compression entirely in version 3.33 in 2017.
>
> It seems about time to revisit this since it's unlikely to work anywhere but 
> in
> a very small subset of system setups (being disabled by default everywhere) 
> and
> is thus likely to be very untested at best.  There is also the security aspect
> which is less clear-cut for us compared to HTTP client/servers, but not 
> refuted
> (the linked thread has a good discussion on this).

Agreed. It will also help with not having to implement it in new SSL
implementations I'm sure :)


> The attached removes sslcompression to see what it would look like.  The 
> server
> actively disallows it and the parameter is removed, but the sslcompression
> column in the stat view is retained.  An alternative could be to retain the
> parameter but not act on it in order to not break scripts etc, but that just
> postpones the pain until when we inevitably do remove it.
>
> Thoughts?  Any reason to keep supporting SSL compression or is it time for v14
> to remove it?  Are there still users leveraging this for protocol compression
> without security making it worthwhile to keep?

When the last round of discussion happened, I had multiple customers
who did exactly that. None of them do that anymore, due to the pain of
making it work...

I think for libpq we want to keep the option for a while but making it
a no-op, to not unnecessarily break systems where people just upgrade
libpq, though. And document it as such having no effect and "will
eventually be removed".

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/


Reply via email to