From: | Florian Pflug <fgp(at)phlo(dot)org> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org>, Claes Jakobsson <claes(at)versed(dot)se> |
Subject: | Re: libpq compression |
Date: | 2012-06-20 19:05:52 |
Message-ID: | 7760EC03-5B38-4903-AD2D-95F787B1E1ED@phlo.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Jun20, 2012, at 18:42 , Magnus Hagander wrote:
> That is a very good point. Before we design *another* feature that
> relies on it, we should verify if the syntax is compatible in the
> other libraries that would be interesting (gnutls and NSS primarily),
> and if it's not that at least the *functionality* exists ina
> compatible way. So we don't put ourselves in a position where we can't
> proceed.
Hm, here's another problem with relying on SSL/TLS for compression.
RFC2246, which defines TLS 1.0, explicitly states that
"TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
TLS connection during the first handshake on that channel, but MUST
NOT be negotiated, as it provides no more protection than an
unsecured connection." [RFC2246, A.5. The Cipher Suite]
and that paragraph is still present in RFC5246 (TLS 1.2). The other
cipher suits without actual encryption seem to be
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_SHA256 (TLS 1.2)
Unless I'm missing something, that leaves us with no way of skipping the
initial RSA handshake and also (more importantly) of computing a MD5
or SHA digest of every packet sent.
I'm starting to think that relying on SSL/TLS for compression of
unencrypted connections might not be such a good idea after all. We'd
be using the protocol in a way it quite clearly never was intended to
be used...
best regards,
Florian Pflug
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2012-06-20 19:11:08 | Re: [PATCH 10/16] Introduce the concept that wal has a 'origin' node |
Previous Message | Heikki Linnakangas | 2012-06-20 18:57:10 | Re: pgbench--new transaction type |