On Sat, Jan 1, 2022 at 11:25:05AM -0600, Justin Pryzby wrote: > Thanks for working on this. The patch looks to be in good shape - I hope more > people will help to review and test it. I took the liberty of creating a new > CF entry. http://cfbot.cputube.org/daniil-zakhlystov.html > > +zpq_should_compress(ZpqStream * zpq, char msg_type, uint32 msg_len) > +{ > + return zpq_choose_compressor(zpq, msg_type, msg_len) == -1; > > I think this is backwards , and should say != -1 ? > > As written, the server GUC libpq_compression defaults to "on", and the client > doesn't request compression. I think the server GUC should default to off. > I failed to convince Kontantin about this last year. The reason is that 1) > it's a new feature; 2) with security implications. An admin should need to > "opt in" to this. I still wonder if this should be controlled by a new "TYPE" > in pg_hba (rather than a GUC); that would make it exclusive of SSL.
I assume this compression happens before it is encrypted for TLS transport. Second, compression was removed from TLS because there were too many ways for HTTP to weaken encryption. I assume the Postgres wire protocol doesn't have similar exploit possibilities. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
