Обсуждение: SSL compression info in psql header
It's today really hard to figure out if your SSL connection is actually *using* SSL compression. This got extra hard when we the default value started getting influenced by environment variables at least on many platforms after the crime attacks. ISTM we should be making this easier for the user. Attached patch adds compression info at least to the header of the psql banner, as that's very non-intrusive. I think this is a small enough change, yet very useful, that we should squeeze it into 9.4 before the next beta. Not sure if it can be qualified enough of a bug to backpatch further than that though. As far as my research shows, the function SSL_get_current_compression() which it uses was added in OpenSSL 0.9.6, which is a long time ago (stopped being maintained in 2004). AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely on it, especially since we only check for whether it returns NULL or not. Comments? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Вложения
On Sat, Jul 12, 2014 at 8:49 AM, Magnus Hagander <magnus@hagander.net> wrote: > It's today really hard to figure out if your SSL connection is > actually *using* SSL compression. This got extra hard when we the > default value started getting influenced by environment variables at > least on many platforms after the crime attacks. ISTM we should be > making this easier for the user. > > Attached patch adds compression info at least to the header of the > psql banner, as that's very non-intrusive. I think this is a small > enough change, yet very useful, that we should squeeze it into 9.4 > before the next beta. Not sure if it can be qualified enough of a bug > to backpatch further than that though. > > As far as my research shows, the function > SSL_get_current_compression() which it uses was added in OpenSSL > 0.9.6, which is a long time ago (stopped being maintained in 2004). > AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely > on it, especially since we only check for whether it returns NULL or > not. > > Comments? Seems like a fine change. I think it would be OK to slip it into 9.4, too, but I don't think we should back-patch it further than that. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Tue, Jul 15, 2014 at 1:08 AM, Robert Haas <robertmhaas@gmail.com> wrote: > On Sat, Jul 12, 2014 at 8:49 AM, Magnus Hagander <magnus@hagander.net> wrote: >> It's today really hard to figure out if your SSL connection is >> actually *using* SSL compression. This got extra hard when we the >> default value started getting influenced by environment variables at >> least on many platforms after the crime attacks. ISTM we should be >> making this easier for the user. >> >> Attached patch adds compression info at least to the header of the >> psql banner, as that's very non-intrusive. I think this is a small >> enough change, yet very useful, that we should squeeze it into 9.4 >> before the next beta. Not sure if it can be qualified enough of a bug >> to backpatch further than that though. >> >> As far as my research shows, the function >> SSL_get_current_compression() which it uses was added in OpenSSL >> 0.9.6, which is a long time ago (stopped being maintained in 2004). >> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely >> on it, especially since we only check for whether it returns NULL or >> not. >> >> Comments? > > Seems like a fine change. I think it would be OK to slip it into 9.4, > too, but I don't think we should back-patch it further than that. Applied and backpatched to 9.4. I also included updating the similar row that goes in the server log (new as of 9.4) to include it, for consistency. -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
> As far as my research shows, the function
> SSL_get_current_compression() which it uses was added in OpenSSL
> 0.9.6, which is a long time ago (stopped being maintained in 2004).
> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
> on it, especially since we only check for whether it returns NULL or
> not.
The buildfarm begs to differ. I think you'll need a configure check
for whether the function exists.
regards, tom lane
On Tue, Jul 15, 2014 at 4:28 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> As far as my research shows, the function >> SSL_get_current_compression() which it uses was added in OpenSSL >> 0.9.6, which is a long time ago (stopped being maintained in 2004). >> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely >> on it, especially since we only check for whether it returns NULL or >> not. > > The buildfarm begs to differ. I think you'll need a configure check > for whether the function exists. Crap. Out of curiosity, since one of those boxes seems to be yours, which version of OpenSSL does it actually have? -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
> Out of curiosity, since one of those boxes seems to be yours, which
> version of OpenSSL does it actually have?
Claims to be 0.9.7:
cube:~ tgl$ ls -l /usr/lib/*ssl*
-rwxr-xr-x 1 root wheel 266940 Nov 7 2010 /usr/lib/libssl.0.9.7.dylib*
-rwxr-xr-x 1 root wheel 257700 Nov 7 2010 /usr/lib/libssl.0.9.dylib*
lrwxr-xr-x 1 root wheel 18 Jul 1 2009 /usr/lib/libssl.dylib@ -> libssl.0.9.7.dylib
The box evidently has "0.9" installed as well, but our build should be
seizing on the symlink and finding 0.9.7.
regards, tom lane
On Tue, Jul 15, 2014 at 4:41 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> Out of curiosity, since one of those boxes seems to be yours, which >> version of OpenSSL does it actually have? > > Claims to be 0.9.7: > > cube:~ tgl$ ls -l /usr/lib/*ssl* > -rwxr-xr-x 1 root wheel 266940 Nov 7 2010 /usr/lib/libssl.0.9.7.dylib* > -rwxr-xr-x 1 root wheel 257700 Nov 7 2010 /usr/lib/libssl.0.9.dylib* > lrwxr-xr-x 1 root wheel 18 Jul 1 2009 /usr/lib/libssl.dylib@ -> libssl.0.9.7.dylib > > The box evidently has "0.9" installed as well, but our build should be > seizing on the symlink and finding 0.9.7. Weird. It should bei n that version. Either way, we clearly need a configure check for it. Being a completely newbie when it comes to writing configure checks - does this seem correct? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Вложения
Magnus Hagander <magnus@hagander.net> writes:
> Being a completely newbie when it comes to writing configure checks -
> does this seem correct?
Looks reasonable to me.
regards, tom lane
On Tue, Jul 15, 2014 at 6:03 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> Being a completely newbie when it comes to writing configure checks - >> does this seem correct? > > Looks reasonable to me. Thanks, I've applied it - let's hope the buildfarm is happier now. -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/