keepalives_interval 'value',
tcp_user_timeout 'value',
-- requiressl 'value',
- sslcompression 'value',
sslmode 'value',
sslcert 'value',
sslkey 'value',
END;
$d$;
ERROR: invalid option "password"
-HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, sslcrldir, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size, batch_size
+HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcert, sslkey, sslrootcert, sslcrl, sslcrldir, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size, batch_size
CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')"
PL/pgSQL function inline_code_block line 3 at EXECUTE
-- If we add a password for our user mapping instead, we should get a different
keepalives_interval 'value',
tcp_user_timeout 'value',
-- requiressl 'value',
- sslcompression 'value',
sslmode 'value',
sslcert 'value',
sslkey 'value',
<term><literal>sslcompression</literal></term>
<listitem>
<para>
- If set to 1, data sent over SSL connections will be compressed. If
- set to 0, compression will be disabled. The default is 0. This
- parameter is ignored if a connection without SSL is made.
- </para>
-
- <para>
- SSL compression is nowadays considered insecure and its use is no
- longer recommended. <productname>OpenSSL</productname> 1.1.0 disables
- compression by default, and many operating system distributions
- disable it in prior versions as well, so setting this parameter to on
- will not have any effect if the server does not accept compression.
- </para>
-
- <para>
- If security is not a primary concern, compression can improve
- throughput if the network is the bottleneck. Disabling compression
- can improve response time and throughput if CPU performance is the
- limiting factor.
+ Ignored (formerly, this specified whether to attempt SSL compression).
</para>
</listitem>
</varlistentry>
<term><literal>compression</literal></term>
<listitem>
<para>
- If SSL compression is in use, returns the name of the compression
- algorithm, or "on" if compression is used but the algorithm is
- not known. If compression is not in use, returns "off".
+ SSL compression is no longer supported, always returns "off".
</para>
</listitem>
</varlistentry>
</para>
</listitem>
- <listitem>
- <para>
- <indexterm>
- <primary><envar>PGSSLCOMPRESSION</envar></primary>
- </indexterm>
- <envar>PGSSLCOMPRESSION</envar> behaves the same as the <xref
- linkend="libpq-connect-sslcompression"/> connection parameter.
- </para>
- </listitem>
-
<listitem>
<para>
<indexterm>
</para></entry>
</row>
- <row>
- <entry role="catalog_table_entry"><para role="column_definition">
- <structfield>compression</structfield> <type>boolean</type>
- </para>
- <para>
- True if SSL compression is in use, false if not,
- or NULL if SSL is not in use on this connection
- </para></entry>
- </row>
-
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>client_dn</structfield> <type>text</type>
S.sslversion AS version,
S.sslcipher AS cipher,
S.sslbits AS bits,
- S.sslcompression AS compression,
S.ssl_client_dn AS client_dn,
S.ssl_client_serial AS client_serial,
S.ssl_issuer_dn AS issuer_dn
/* disallow SSL session caching, too */
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
+ /* disallow SSL compression */
+ SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION);
+
/* set up ephemeral DH and ECDH keys */
if (!initialize_dh(context, isServerStart))
goto error;
return 0;
}
-bool
-be_tls_get_compression(Port *port)
-{
- if (port->ssl)
- return (SSL_get_current_compression(port->ssl) != NULL);
- else
- return false;
-}
-
const char *
be_tls_get_version(Port *port)
{
{
lbeentry.st_ssl = true;
lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort);
- lsslstatus.ssl_compression = be_tls_get_compression(MyProcPort);
strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
Datum
pg_stat_get_activity(PG_FUNCTION_ARGS)
{
-#define PG_STAT_GET_ACTIVITY_COLS 30
+#define PG_STAT_GET_ACTIVITY_COLS 29
int num_backends = pgstat_fetch_stat_numbackends();
int curr_backend;
int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0);
pfree(clipped_activity);
/* leader_pid */
- nulls[29] = true;
+ nulls[28] = true;
proc = BackendPidGetProc(beentry->st_procpid);
*/
if (leader && leader->pid != beentry->st_procpid)
{
- values[29] = Int32GetDatum(leader->pid);
- nulls[29] = false;
+ values[28] = Int32GetDatum(leader->pid);
+ nulls[28] = false;
}
}
values[19] = CStringGetTextDatum(beentry->st_sslstatus->ssl_version);
values[20] = CStringGetTextDatum(beentry->st_sslstatus->ssl_cipher);
values[21] = Int32GetDatum(beentry->st_sslstatus->ssl_bits);
- values[22] = BoolGetDatum(beentry->st_sslstatus->ssl_compression);
if (beentry->st_sslstatus->ssl_client_dn[0])
- values[23] = CStringGetTextDatum(beentry->st_sslstatus->ssl_client_dn);
+ values[22] = CStringGetTextDatum(beentry->st_sslstatus->ssl_client_dn);
else
- nulls[23] = true;
+ nulls[22] = true;
if (beentry->st_sslstatus->ssl_client_serial[0])
- values[24] = DirectFunctionCall3(numeric_in,
+ values[23] = DirectFunctionCall3(numeric_in,
CStringGetDatum(beentry->st_sslstatus->ssl_client_serial),
ObjectIdGetDatum(InvalidOid),
Int32GetDatum(-1));
else
- nulls[24] = true;
+ nulls[23] = true;
if (beentry->st_sslstatus->ssl_issuer_dn[0])
- values[25] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn);
+ values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn);
else
- nulls[25] = true;
+ nulls[24] = true;
}
else
{
values[18] = BoolGetDatum(false); /* ssl */
- nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = true;
+ nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true;
}
/* GSSAPI information */
if (beentry->st_gss)
{
- values[26] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
- values[27] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
- values[28] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
+ values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
+ values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
+ values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
}
else
{
- values[26] = BoolGetDatum(false); /* gss_auth */
- nulls[27] = true; /* No GSS principal */
- values[28] = BoolGetDatum(false); /* GSS Encryption not in
+ values[25] = BoolGetDatum(false); /* gss_auth */
+ nulls[26] = true; /* No GSS principal */
+ values[27] = BoolGetDatum(false); /* GSS Encryption not in
* use */
}
}
nulls[26] = true;
nulls[27] = true;
nulls[28] = true;
- nulls[29] = true;
}
tuplestore_putvalues(tupstore, tupdesc, values, nulls);
#ifdef USE_SSL
if (port->ssl_in_use)
- appendStringInfo(&logmsg, _(" SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)"),
+ appendStringInfo(&logmsg, _(" SSL enabled (protocol=%s, cipher=%s, bits=%d)"),
be_tls_get_version(port),
be_tls_get_cipher(port),
- be_tls_get_cipher_bits(port),
- be_tls_get_compression(port) ? _("on") : _("off"));
+ be_tls_get_cipher_bits(port));
#endif
#ifdef ENABLE_GSS
if (port->gss)
const char *protocol;
const char *cipher;
const char *bits;
- const char *compression;
if (!PQsslInUse(pset.db))
return; /* no SSL */
protocol = PQsslAttribute(pset.db, "protocol");
cipher = PQsslAttribute(pset.db, "cipher");
bits = PQsslAttribute(pset.db, "key_bits");
- compression = PQsslAttribute(pset.db, "compression");
- printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
+ printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"),
protocol ? protocol : _("unknown"),
cipher ? cipher : _("unknown"),
- bits ? bits : _("unknown"),
- (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
+ bits ? bits : _("unknown"));
}
/*
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 202103081
+#define CATALOG_VERSION_NO 202103091
#endif
proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f',
proretset => 't', provolatile => 's', proparallel => 'r',
prorettype => 'record', proargtypes => 'int4',
- proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,bool,text,numeric,text,bool,text,bool,int4}',
- proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
- proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,sslcompression,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,leader_pid}',
+ proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,int4}',
+ proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
+ proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,leader_pid}',
prosrc => 'pg_stat_get_activity' },
{ oid => '3318',
descr => 'statistics: information about progress of backends running maintenance command',
* Return information about the SSL connection.
*/
extern int be_tls_get_cipher_bits(Port *port);
-extern bool be_tls_get_compression(Port *port);
extern const char *be_tls_get_version(Port *port);
extern const char *be_tls_get_cipher(Port *port);
extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len);
{
/* Information about SSL connection */
int ssl_bits;
- bool ssl_compression;
char ssl_version[NAMEDATALEN];
char ssl_cipher[NAMEDATALEN];
char ssl_client_dn[NAMEDATALEN];
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)},
- {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
- "SSL-Compression", "", 1,
- offsetof(struct pg_conn, sslcompression)},
+ /*
+ * "sslcompression" is no longer used, but keep it present for backwards
+ * compatibility.
+ */
+ {"sslcompression", NULL, NULL, NULL,
+ "SSL-Compression", "D", 1, -1},
{"sslcert", "PGSSLCERT", NULL, NULL,
"SSL-Client-Cert", "", 64,
free(conn->sslcrl);
if (conn->sslcrldir)
free(conn->sslcrldir);
- if (conn->sslcompression)
- free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
if (conn->ssl_min_protocol_version)
if (have_rootcert)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
- /*
- * Set compression option if necessary.
- */
- if (conn->sslcompression && conn->sslcompression[0] == '0')
- SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
- else
- SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+ /* disable SSL compression */
+ SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
return 0;
}
if (strcmp(attribute_name, "cipher") == 0)
return SSL_get_cipher(conn->ssl);
+ /*
+ * SSL compression is disabled, so even if connecting to an older server
+ * which still supports it, it will not be active.
+ */
if (strcmp(attribute_name, "compression") == 0)
- return SSL_get_current_compression(conn->ssl) ? "on" : "off";
+ return "off";
if (strcmp(attribute_name, "protocol") == 0)
return SSL_get_version(conn->ssl);
char *keepalives_count; /* maximum number of TCP keepalive
* retransmits */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
- char *sslcompression; /* SSL compression (0 or 1) */
char *sslkey; /* client key filename */
char *sslcert; /* client certificate filename */
char *sslpassword; /* client key file password */
s.backend_xmin,
s.query,
s.backend_type
- FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
+ FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
LEFT JOIN pg_database d ON ((s.datid = d.oid)))
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
pg_stat_all_indexes| SELECT c.oid AS relid,
s.gss_auth AS gss_authenticated,
s.gss_princ AS principal,
s.gss_enc AS encrypted
- FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
+ FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
WHERE (s.client_port IS NOT NULL);
pg_stat_progress_analyze| SELECT s.pid,
s.datid,
w.sync_priority,
w.sync_state,
w.reply_time
- FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
+ FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid)))
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
pg_stat_replication_slots| SELECT s.slot_name,
s.sslversion AS version,
s.sslcipher AS cipher,
s.sslbits AS bits,
- s.sslcompression AS compression,
s.ssl_client_dn AS client_dn,
s.ssl_client_serial AS client_serial,
s.ssl_issuer_dn AS issuer_dn
- FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
+ FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid)
WHERE (s.client_port IS NOT NULL);
pg_stat_subscription| SELECT su.oid AS subid,
su.subname,
}
else
{
- plan tests => 100;
+ plan tests => 101;
}
#### Some configuration
qr/root certificate file "invalid" does not exist/,
"connect without server root cert sslmode=verify-full");
+# Test deprecated SSL parameters, still accepted for backwards
+# compatibility.
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
+ "connect with deprecated connection parameters");
+
# Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.)
test_connect_fails($common_connstr,
"$common_connstr sslrootcert=invalid", '-c',
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
- qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,_null_,_null_,_null_\r?$}mx,
+ qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx,
'pg_stat_ssl view without client certificate');
# Test min/max SSL protocol versions.
'-c',
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
- qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
projects / postgresql.git / commitdiff