Re: SSL compression info in psql header

It's today really hard to figure out if your SSL connection is
actually *using* SSL compression. This got extra hard when we the
default value started getting influenced by environment variables at
least on many platforms after the crime attacks. ISTM we should be
making this easier for the user.

Attached patch adds compression info at least to the header of the
psql banner, as that's very non-intrusive. I think this is a small
enough change, yet very useful, that we should squeeze it into 9.4
before the next beta. Not sure if it can be qualified enough of a bug
to backpatch further than that though.

As far as my research shows, the function
SSL_get_current_compression() which it uses was added in OpenSSL
0.9.6, which is a long time ago (stopped being maintained in 2004).
AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
on it, especially since we only check for whether it returns NULL or
not.

Comments?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

On Sat, Jul 12, 2014 at 8:49 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> It's today really hard to figure out if your SSL connection is
> actually *using* SSL compression. This got extra hard when we the
> default value started getting influenced by environment variables at
> least on many platforms after the crime attacks. ISTM we should be
> making this easier for the user.
>
> Attached patch adds compression info at least to the header of the
> psql banner, as that's very non-intrusive. I think this is a small
> enough change, yet very useful, that we should squeeze it into 9.4
> before the next beta. Not sure if it can be qualified enough of a bug
> to backpatch further than that though.
>
> As far as my research shows, the function
> SSL_get_current_compression() which it uses was added in OpenSSL
> 0.9.6, which is a long time ago (stopped being maintained in 2004).
> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
> on it, especially since we only check for whether it returns NULL or
> not.
>
> Comments?

Seems like a fine change. I think it would be OK to slip it into 9.4,
too, but I don't think we should back-patch it further than that.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Tue, Jul 15, 2014 at 1:08 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Sat, Jul 12, 2014 at 8:49 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> It's today really hard to figure out if your SSL connection is
>> actually *using* SSL compression. This got extra hard when we the
>> default value started getting influenced by environment variables at
>> least on many platforms after the crime attacks. ISTM we should be
>> making this easier for the user.
>>
>> Attached patch adds compression info at least to the header of the
>> psql banner, as that's very non-intrusive. I think this is a small
>> enough change, yet very useful, that we should squeeze it into 9.4
>> before the next beta. Not sure if it can be qualified enough of a bug
>> to backpatch further than that though.
>>
>> As far as my research shows, the function
>> SSL_get_current_compression() which it uses was added in OpenSSL
>> 0.9.6, which is a long time ago (stopped being maintained in 2004).
>> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
>> on it, especially since we only check for whether it returns NULL or
>> not.
>>
>> Comments?
>
> Seems like a fine change. I think it would be OK to slip it into 9.4,
> too, but I don't think we should back-patch it further than that.

Applied and backpatched to 9.4. I also included updating the similar
row that goes in the server log (new as of 9.4) to include it, for
consistency.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> As far as my research shows, the function
> SSL_get_current_compression() which it uses was added in OpenSSL
> 0.9.6, which is a long time ago (stopped being maintained in 2004).
> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
> on it, especially since we only check for whether it returns NULL or
> not.

The buildfarm begs to differ. I think you'll need a configure check
for whether the function exists.

regards, tom lane

On Tue, Jul 15, 2014 at 4:28 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> As far as my research shows, the function
>> SSL_get_current_compression() which it uses was added in OpenSSL
>> 0.9.6, which is a long time ago (stopped being maintained in 2004).
>> AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely
>> on it, especially since we only check for whether it returns NULL or
>> not.
>
> The buildfarm begs to differ. I think you'll need a configure check
> for whether the function exists.

Crap.

Out of curiosity, since one of those boxes seems to be yours, which
version of OpenSSL does it actually have?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Out of curiosity, since one of those boxes seems to be yours, which
> version of OpenSSL does it actually have?

Claims to be 0.9.7:

cube:~ tgl$ ls -l /usr/lib/*ssl*
-rwxr-xr-x 1 root wheel 266940 Nov 7 2010 /usr/lib/libssl.0.9.7.dylib*
-rwxr-xr-x 1 root wheel 257700 Nov 7 2010 /usr/lib/libssl.0.9.dylib*
lrwxr-xr-x 1 root wheel 18 Jul 1 2009 /usr/lib/libssl.dylib@ -> libssl.0.9.7.dylib

The box evidently has "0.9" installed as well, but our build should be
seizing on the symlink and finding 0.9.7.

regards, tom lane

On Tue, Jul 15, 2014 at 4:41 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Out of curiosity, since one of those boxes seems to be yours, which
>> version of OpenSSL does it actually have?
>
> Claims to be 0.9.7:
>
> cube:~ tgl$ ls -l /usr/lib/*ssl*
> -rwxr-xr-x 1 root wheel 266940 Nov 7 2010 /usr/lib/libssl.0.9.7.dylib*
> -rwxr-xr-x 1 root wheel 257700 Nov 7 2010 /usr/lib/libssl.0.9.dylib*
> lrwxr-xr-x 1 root wheel 18 Jul 1 2009 /usr/lib/libssl.dylib@ -> libssl.0.9.7.dylib
>
> The box evidently has "0.9" installed as well, but our build should be
> seizing on the symlink and finding 0.9.7.

Weird. It should bei n that version.

Either way, we clearly need a configure check for it.

Being a completely newbie when it comes to writing configure checks -
does this seem correct?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Being a completely newbie when it comes to writing configure checks -
> does this seem correct?

Looks reasonable to me.

regards, tom lane

On Tue, Jul 15, 2014 at 6:03 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Being a completely newbie when it comes to writing configure checks -
>> does this seem correct?
>
> Looks reasonable to me.

Thanks, I've applied it - let's hope the buildfarm is happier now.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/