Revert changes for SSL compression in libpq

This partially reverts 096bbf7 and 9d2d457, undoing the libpq changes as it could cause breakages in distributions that share one single libpq version across multiple major versions of Postgres for extensions and applications linking to that. Note that the backend is unchanged here, and it still disables SSL compression while simplifying the underlying catalogs that tracked if compression was enabled or not for a SSL connection. Per discussion with Tom Lane and Daniel Gustafsson. Discussion: https://postgr.es/m/YEbq15JKJwIX+S6m@paquier.xyz
2025-07-30 11:03:19 +03:00 · 2021-03-10 09:35:42 +09:00
parent 6540cc517d
commit 0ba71107ef
8 changed files with 55 additions and 27 deletions
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@ -3509,6 +3509,7 @@ printSSLInfo(void)
 	const char *protocol;
 	const char *cipher;
 	const char *bits;
+	const char *compression;

 	if (!PQsslInUse(pset.db))
 		return;					/* no SSL */
@ -3516,11 +3517,13 @@ printSSLInfo(void)
 	protocol = PQsslAttribute(pset.db, "protocol");
 	cipher = PQsslAttribute(pset.db, "cipher");
 	bits = PQsslAttribute(pset.db, "key_bits");
+	compression = PQsslAttribute(pset.db, "compression");

-	printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"),
+	printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
 		   protocol ? protocol : _("unknown"),
 		   cipher ? cipher : _("unknown"),
-		   bits ? bits : _("unknown"));
+		   bits ? bits : _("unknown"),
+		   (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
 }

 /*
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"SSL-Mode", "", 12,		/* sizeof("verify-full") == 12 */
 	offsetof(struct pg_conn, sslmode)},

-	/*
-	 * "sslcompression" is no longer used, but keep it present for backwards
-	 * compatibility.
-	 */
-	{"sslcompression", NULL, NULL, NULL,
-	"SSL-Compression", "", 1, -1},
+	{"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
+		"SSL-Compression", "", 1,
+	offsetof(struct pg_conn, sslcompression)},

 	{"sslcert", "PGSSLCERT", NULL, NULL,
 		"SSL-Client-Cert", "", 64,
@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn)
 		free(conn->sslcrl);
 	if (conn->sslcrldir)
 		free(conn->sslcrldir);
+	if (conn->sslcompression)
+		free(conn->sslcompression);
 	if (conn->requirepeer)
 		free(conn->requirepeer);
 	if (conn->ssl_min_protocol_version)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn)
 	if (have_rootcert)
 		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);

-	/* disable SSL compression */
-	SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+	/*
+	 * Set compression option if necessary.
+	 */
+	if (conn->sslcompression && conn->sslcompression[0] == '0')
+		SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+	else
+		SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);

 	return 0;
 }
@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
 	if (strcmp(attribute_name, "cipher") == 0)
 		return SSL_get_cipher(conn->ssl);

-	/*
-	 * SSL compression is disabled, so even if connecting to an older server
-	 * which still supports it, it will not be active.
-	 */
 	if (strcmp(attribute_name, "compression") == 0)
-		return "off";
+		return SSL_get_current_compression(conn->ssl) ? "on" : "off";

 	if (strcmp(attribute_name, "protocol") == 0)
 		return SSL_get_version(conn->ssl);
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@ -358,6 +358,7 @@ struct pg_conn
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
+	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
 	char	   *sslcert;		/* client certificate filename */
 	char	   *sslpassword;	/* client key file password */
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
 }
 else
 {
-	plan tests => 101;
+	plan tests => 100;
 }

 #### Some configuration
@ -157,13 +157,6 @@ test_connect_fails(
 	qr/root certificate file "invalid" does not exist/,
 	"connect without server root cert sslmode=verify-full");

-# Test deprecated SSL parameters, still accepted for backwards
-# compatibility.
-test_connect_ok(
-	$common_connstr,
-	"sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
-	"connect with deprecated connection parameters");
-
 # Try with wrong root cert, should fail. (We're using the client CA as the
 # root, but the server's key is signed by the server CA.)
 test_connect_fails($common_connstr,