index da9421486b443d04807db0ec17dd6dd3575384ec..1fd5dd9fca6c41938b745bc3b78159b320f9e842 100644 (file)
<term><literal>sslcompression</literal></term>
<listitem>
<para>
- If set to 1 (default), data sent over SSL connections will be
- compressed.
- If set to 0, compression will be disabled (this requires
- <productname>OpenSSL</productname> 1.0.0 or later).
- This parameter is ignored if a connection without SSL is made,
- or if the version of <productname>OpenSSL</productname> used does not support
- it.
+ If set to 1, data sent over SSL connections will be compressed. If
+ set to 0, compression will be disabled. The default is 0. This
+ parameter is ignored if a connection without SSL is made.
</para>
+
+ <para>
+ SSL compression is nowadays considered insecure and its use is no
+ longer recommended. <productname>OpenSSL</productname> 1.1.0 disables
+ compression by default, and many operating system distributions
+ disable it in prior versions as well, so setting this parameter to on
+ will not have any effect if the server does not accept compression.
+ On the other hand, <productname>OpenSSL</productname> before 1.0.0
+ does not support disabling compression, so this parameter is ignored
+ with those versions, and whether compression is used depends on the
+ server.
+ </para>
+
<para>
- Compression uses CPU time, but can improve throughput if
- the network is the bottleneck.
- Disabling compression can improve response time and throughput
- if CPU performance is the limiting factor.
+ If security is not a primary concern, compression can improve
+ throughput if the network is the bottleneck. Disabling compression
+ can improve response time and throughput if CPU performance is the
+ limiting factor.
</para>
</listitem>
</varlistentry>
index 77eebb0ba13dc6c7590ec6e6baba9dfb1e682529..39c19998c2256412f0125f0d9fa26e87195b97bb 100644 (file)
@@ -279,7 +279,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)},
- {"sslcompression", "PGSSLCOMPRESSION", "1", NULL,
+ {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
"SSL-Compression", "", 1,
offsetof(struct pg_conn, sslcompression)},
index 127122563c2cd50864c07501a0f558385b4bc438..1a35b30dbcdf9c47bb51d7f6d69e1bb669ba02f4 100644 (file)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
/*
- * If the OpenSSL version used supports it (from 1.0.0 on) and the user
- * requested it, disable SSL compression.
+ * Set compression option if the OpenSSL version used supports it (from
+ * 1.0.0 on).
*/
#ifdef SSL_OP_NO_COMPRESSION
if (conn->sslcompression && conn->sslcompression[0] == '0')
- {
SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
- }
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
#endif
return 0;