Re: libpq compression

On Fri, Jun 15, 2012 at 5:52 PM, Florian Pflug <fgp@phlo.org> wrote:
> On Jun15, 2012, at 07:50 , Magnus Hagander wrote:
>>>> So I've got very little patience with the idea of "let's put in some
>>>> hooks and then great things will happen".  It would be far better all
>>>> around if we supported exactly one, well-chosen, method.  But really
>>>> I still don't see a reason not to let openssl do it for us.
>>>
>>> Do we just need to document SSL's NULL encryption option?
>>
>> Does the SSL NULL encryption+compression thing work if you're not
>> using openssl?
>
> The compression support is defined in RFC 3749, and according to
> http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations it's
> supported in openssl and gnutls.
>
> gnutls also seems to support a NULL cipher - gnutls-cli on my Ubuntu
> 10.04 box prints
>
> Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128,
> ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL.

ah, thanks for looking that up for me!

The other big one to consider would be GNUTLS - which also has support
for compression, I see.

I guess a related question is if they all alow us to turn it *off*,
which we now do support on openssl :) gnutls does,  I didn't look into
nss.

>> For one thing, some of us still hold a hope to support non-openssl
>> libraries in both libpq and server side, so it's something that would
>> need to be supported by the standard and thus available in most
>> libraries not to invalidate that.
>
> Well, it's a standard a least, and both openssl and gnutls seem to
> support it. Are there any other ssl implementations beside gnutls and
> openssl that we need to worry about?

NSS would be the big one, an din theory microsoft schannel if we were
to go there (that would give us access to easy use of the windows
certificate store so ther emight be a reason - but not a very big one,
to support that).


>> Second, we also have things like the JDBC driver and the .Net driver
>> that don't use libpq. the JDBC driver uses the native java ssl
>> support, AFAIK. Does that one support the compression, and does it
>> support controlling it?
>
> Java uses pluggable providers with standardized interfaces for most
> things related to encryption. SSL support is provided by JSSE
> (Java Secure Socket Extension). The JSSE implementation included with
> the oracle JRE doesn't seem to support compression according to the
> wikipedia page quoted above. But chances are that there exists an
> alternative implementation which does.

Yeah, but that alone is IMO a rather big blocker for claiming that
this is the only way to do it :( And I think the fact that that
wikipedia page doesn't list any other ones, is a sign that there might
not be a lot of other choices out there in reality - expecially not
opensource...

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/