Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On Thu, Feb 18, 2016 at 11:37 PM, Jeff Janes wrote: > On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda > wrote: > > Thanks, everyone. That seems to be it. I still haven't gotten it to work > (I > > tried setting OPENSSL_DEFAULT_ZLIB=true in > > /etc/postgresql/9.2/main/environment and restarting the server, then > adding > > the same env var when connecting with the client), but now that I know > where > > the problem is, I think I can work through it. > > Did you ever get it to work on Ubuntu? If so, what did you have to do? > > OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It > is suggested it should work on earlier versions > (http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it > on newer versions. > I can confirm that this env var has the expected effect on Ubuntu 12.04, but newer versions such 14.04 come with OpenSSL complied without zlib altogether, so there is no way to enable this short of recompiling the openssl lib, unfortunately. -- Alex
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On Fri, Jan 16, 2015 at 10:34 AM, Maciek Sakrejda wrote: > Thanks, everyone. That seems to be it. I still haven't gotten it to work (I > tried setting OPENSSL_DEFAULT_ZLIB=true in > /etc/postgresql/9.2/main/environment and restarting the server, then adding > the same env var when connecting with the client), but now that I know where > the problem is, I think I can work through it. Did you ever get it to work on Ubuntu? If so, what did you have to do? OPENSSL_DEFAULT_ZLIB doesn't seem to do anything on Ubuntu 14.04. It is suggested it should work on earlier versions (http://www.ubuntu.com/usn/USN-1898-1/) but there is no mention of it on newer versions. Cheers, Jeff -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On Fri, Jan 16, 2015 at 08:41:54AM -0800, Adrian Klaver wrote: > Yes that would seem to be the issue: > > https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog > > openssl (1.0.1e-3ubuntu1) > > Disable compression to avoid CRIME systemwide (CVE-2012-4929). FWIW, it's likely that the next version of TLS (version 1.3, see[1]) will no longer support compression at all. The concensus appears to be that this is the wrong level to be applying compression. Since the only way to get compression currently in Postgres is via TLS, perhaps we should look at supporting compression natively in future protocol versions. It will take a while for TLS 1.3 to be deployed so there's time, but PostgreSQL protocol revisions go at a similar pace. Have a nice day, [1] https://github.com/tlswg/tls13-spec -- Martijn van Oosterhout http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer signature.asc Description: Digital signature
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On 01/16/2015 10:34 AM, Maciek Sakrejda wrote: Thanks, everyone. That seems to be it. I still haven't gotten it to work (I tried setting OPENSSL_DEFAULT_ZLIB=true in /etc/postgresql/9.2/main/environment and restarting the server, then adding the same env var when connecting with the client), but now that I know where the problem is, I think I can work through it. I think environment is for the PG specific env variables that postmaster/postgres understands: http://www.postgresql.org/docs/9.2/interactive/app-postgres.html OPENSSL_DEFAULT_ZLIB is a system env variable, you will need to set in the shell. On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander mailto:mag...@hagander.net>> wrote: There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)? That would definitely have helped me, yes. I'd submit a doc patch, but I'm not sure what the right language would be here. Are there other similar caveats documented elsewhere I could crib from? -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
Thanks, everyone. That seems to be it. I still haven't gotten it to work (I tried setting OPENSSL_DEFAULT_ZLIB=true in /etc/postgresql/9.2/main/environment and restarting the server, then adding the same env var when connecting with the client), but now that I know where the problem is, I think I can work through it. On Fri, Jan 16, 2015 at 9:22 AM, Magnus Hagander wrote: > There's been a few reports on this now. Perhaps we should add a note to > the docs (not necessarily saying how to fix it, as it may differ, but a > note saying that many distributions changed the way this is handled and > that you might need to set an external override)? > That would definitely have helped me, yes. I'd submit a doc patch, but I'm not sure what the right language would be here. Are there other similar caveats documented elsewhere I could crib from?
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
Magnus Hagander writes: > There's been a few reports on this now. Perhaps we should add a note to the > docs (not necessarily saying how to fix it, as it may differ, but a note > saying that many distributions changed the way this is handled and that you > might need to set an external override)? Seems reasonable. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On Fri, Jan 16, 2015 at 8:41 AM, Adrian Klaver wrote: > On 01/16/2015 08:30 AM, Tom Lane wrote: > >> Maciek Sakrejda writes: >> >>> I'm having a hard time getting SSL compression working (or even figuring >>> out why it's not working) with my local Postgres server. The setting [1] >>> is >>> documented to default to on, but according to the banner when I connect >>> with psql, it's off. >>> >> >> Possibly you have the same type of problem mentioned here: >> >> http://www.postgresql.org/message-id/CABUevEytxEQtbMeuKpJ8tYjeeB37m >> zdq7baszezn6egcgrd...@mail.gmail.com >> > > Yes that would seem to be the issue: > > https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog > > openssl (1.0.1e-3ubuntu1) > > Disable compression to avoid CRIME systemwide (CVE-2012-4929). > > > >> although Ubuntu may well have done it a bit differently than Red Hat, >> ie the way to override openssl's default behavior might be different. >> >> regards, tom lane >> >> >> There's been a few reports on this now. Perhaps we should add a note to the docs (not necessarily saying how to fix it, as it may differ, but a note saying that many distributions changed the way this is handled and that you might need to set an external override)? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On 01/16/2015 08:30 AM, Tom Lane wrote: Maciek Sakrejda writes: I'm having a hard time getting SSL compression working (or even figuring out why it's not working) with my local Postgres server. The setting [1] is documented to default to on, but according to the banner when I connect with psql, it's off. Possibly you have the same type of problem mentioned here: http://www.postgresql.org/message-id/cabueveytxeqtbmeukpj8tyjeeb37mzdq7baszezn6egcgrd...@mail.gmail.com Yes that would seem to be the issue: https://launchpad.net/ubuntu/trusty/+source/openssl/+changelog openssl (1.0.1e-3ubuntu1) Disable compression to avoid CRIME systemwide (CVE-2012-4929). although Ubuntu may well have done it a bit differently than Red Hat, ie the way to override openssl's default behavior might be different. regards, tom lane -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
Maciek Sakrejda writes: > I'm having a hard time getting SSL compression working (or even figuring > out why it's not working) with my local Postgres server. The setting [1] is > documented to default to on, but according to the banner when I connect > with psql, it's off. Possibly you have the same type of problem mentioned here: http://www.postgresql.org/message-id/cabueveytxeqtbmeukpj8tyjeeb37mzdq7baszezn6egcgrd...@mail.gmail.com although Ubuntu may well have done it a bit differently than Red Hat, ie the way to override openssl's default behavior might be different. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
On 01/15/2015 01:02 PM, Maciek Sakrejda wrote: I'm having a hard time getting SSL compression working (or even figuring out why it's not working) with my local Postgres server. The setting [1] is documented to default to on, but according to the banner when I connect with psql, it's off. It's still off even if I explicitly set PGSSLCOMPRESSION=1: maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost psql (9.4.0, server 9.2.9) SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. Nothing interesting in the logs. As far as I can tell, my OpenSSL version is recent enough to support this: Noticed you are using psql from 9.4 to connect to a 9.2 server. You might want to try the 9.2 version of psql to see if that works? maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7f144a25d000) (is that the right way to check?) I would use : dpkg -l | grep openssl Which on one of my 14.04 instances gives: ii openssl 1.0.1f-1ubuntu2.8 I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas? Thanks, Maciek [1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] sslcompression / PGSSLCOMPRESSION not behaving as documented?
I'm having a hard time getting SSL compression working (or even figuring out why it's not working) with my local Postgres server. The setting [1] is documented to default to on, but according to the banner when I connect with psql, it's off. It's still off even if I explicitly set PGSSLCOMPRESSION=1: maciek@gamera:~$ PGSSLCOMPRESSION=1 psql -h localhost psql (9.4.0, server 9.2.9) SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. Nothing interesting in the logs. As far as I can tell, my OpenSSL version is recent enough to support this: maciek@gamera:~$ ldd /usr/lib/postgresql/9.2/bin/postgres | grep ssl libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7f144a25d000) (is that the right way to check?) I'm running this on Ubuntu 14.04 with PGDG Postgres packages. Any ideas? Thanks, Maciek [1]: http://www.postgresql.org/docs/9.2/static/libpq-envars.html