Search Postgresql Archives

Re: Compression on SSL links?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 13/08/2010 9:31 PM, Bruce Momjian wrote:

Karl Denninger wrote:

I may be blind - I don't see a way to enable this.  OpenSSL "kinda"
supports this - does Postgres' SSL connectivity allow it to be
supported/enabled?


What are you asking, exactly?
As far as I can tell they're asking for transport-level compression, using gzip or similar, in much the same way as SSL/TLS currently provides transport-level encryption. Compression at the postgresql protocol level or above, so it's invisible at the level of the libpq APIs for executing statements and processing results, and doesn't change SQL processing.
Since remote access is often combined with SSL, which is already supported by libpq, using SSL-integrated compression seems pretty promising if it's viable in practice. It'd avoid the pain of having to add compression to the Pg protocol by putting it "outside" the current protocol, in the SSL layer. Even better, compressing results before encrypting them makes the encrypted traffic *much* stronger against known-plaintext and pattern-based attacks. And, of course, compressing the content costs CPU time but reduces the amount of data that must then be compressed. 

OpenSSL does provide some transparent crypto support. See:
  http://www.openssl.org/docs/ssl/SSL_COMP_add_compression_method.html
That page notes that using compression as integrated into the SSL layer has a few issues. The lack of compression method standardization shouldn't be a problem for PostgreSQL, as PostgreSQL is free to define compression methods and their names as an SSL-only extension to the current postgresql-specific protocol. It looks like the negotiation mechanisms to make this transparent to older clients are there, too, so there's potential, though lots of testing would be required.
It's hard to know how widely the COMP_zlib method is enabled in deployed copies of OpenSSL, but a configure test could probably detect its availibility and conditionally enable it in libpq. Again, connections would just fall back to uncompressed.
I'm curious to see if the Java SSL APIs can support SSL-level compression, and if so whether the JDBC driver can be SSL+Gzip enabled. I'll have a dig through the JCA (Java Cryptography Architecture) docs and see what I can find out. 

--
Craig Ringer


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux