Re: Compression on SSL links?

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Karl Denninger <karl(at)denninger(dot)net>, Postgres General <pgsql-general(at)postgresql(dot)org>
Subject: Re: Compression on SSL links?
Date: 2010-08-13 14:43:16
Message-ID: 4C655A04.2000909@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 13/08/2010 9:31 PM, Bruce Momjian wrote:
> Karl Denninger wrote:
>> I may be blind - I don't see a way to enable this. OpenSSL "kinda"
>> supports this - does Postgres' SSL connectivity allow it to be
>> supported/enabled?
>
> What are you asking, exactly?

As far as I can tell they're asking for transport-level compression,
using gzip or similar, in much the same way as SSL/TLS currently
provides transport-level encryption. Compression at the postgresql
protocol level or above, so it's invisible at the level of the libpq
APIs for executing statements and processing results, and doesn't change
SQL processing.

Since remote access is often combined with SSL, which is already
supported by libpq, using SSL-integrated compression seems pretty
promising if it's viable in practice. It'd avoid the pain of having to
add compression to the Pg protocol by putting it "outside" the current
protocol, in the SSL layer. Even better, compressing results before
encrypting them makes the encrypted traffic *much* stronger against
known-plaintext and pattern-based attacks. And, of course, compressing
the content costs CPU time but reduces the amount of data that must then
be compressed.

OpenSSL does provide some transparent crypto support. See:
http://www.openssl.org/docs/ssl/SSL_COMP_add_compression_method.html

That page notes that using compression as integrated into the SSL layer
has a few issues. The lack of compression method standardization
shouldn't be a problem for PostgreSQL, as PostgreSQL is free to define
compression methods and their names as an SSL-only extension to the
current postgresql-specific protocol. It looks like the negotiation
mechanisms to make this transparent to older clients are there, too, so
there's potential, though lots of testing would be required.

It's hard to know how widely the COMP_zlib method is enabled in deployed
copies of OpenSSL, but a configure test could probably detect its
availibility and conditionally enable it in libpq. Again, connections
would just fall back to uncompressed.

I'm curious to see if the Java SSL APIs can support SSL-level
compression, and if so whether the JDBC driver can be SSL+Gzip enabled.
I'll have a dig through the JCA (Java Cryptography Architecture) docs
and see what I can find out.

--
Craig Ringer

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2010-08-13 14:47:30 Re: Feature Request: bzip2 support in pg_dump, pg_restore
Previous Message Chris Barnes 2010-08-13 14:21:14 Re: How to determine which tables are created from inheritance.