aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/bin/psql/command.c7
-rw-r--r--src/interfaces/libpq/fe-connect.c11
-rw-r--r--src/interfaces/libpq/fe-secure-openssl.c15
-rw-r--r--src/interfaces/libpq/libpq-int.h1
-rw-r--r--src/test/ssl/t/001_ssltests.pl9
5 files changed, 20 insertions, 23 deletions
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 8d6970a4f34..c98e3d31d0c 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -3509,6 +3509,7 @@ printSSLInfo(void)
const char *protocol;
const char *cipher;
const char *bits;
+ const char *compression;
if (!PQsslInUse(pset.db))
return; /* no SSL */
@@ -3516,11 +3517,13 @@ printSSLInfo(void)
protocol = PQsslAttribute(pset.db, "protocol");
cipher = PQsslAttribute(pset.db, "cipher");
bits = PQsslAttribute(pset.db, "key_bits");
+ compression = PQsslAttribute(pset.db, "compression");
- printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"),
+ printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
protocol ? protocol : _("unknown"),
cipher ? cipher : _("unknown"),
- bits ? bits : _("unknown"));
+ bits ? bits : _("unknown"),
+ (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
}
/*
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index aeb64c5bca3..29054bad7b4 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)},
- /*
- * "sslcompression" is no longer used, but keep it present for backwards
- * compatibility.
- */
- {"sslcompression", NULL, NULL, NULL,
- "SSL-Compression", "", 1, -1},
+ {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
+ "SSL-Compression", "", 1,
+ offsetof(struct pg_conn, sslcompression)},
{"sslcert", "PGSSLCERT", NULL, NULL,
"SSL-Client-Cert", "", 64,
@@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn)
free(conn->sslcrl);
if (conn->sslcrldir)
free(conn->sslcrldir);
+ if (conn->sslcompression)
+ free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
if (conn->ssl_min_protocol_version)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c88dd3a1183..0fa10a23b4a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn)
if (have_rootcert)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
- /* disable SSL compression */
- SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+ /*
+ * Set compression option if necessary.
+ */
+ if (conn->sslcompression && conn->sslcompression[0] == '0')
+ SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
return 0;
}
@@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
if (strcmp(attribute_name, "cipher") == 0)
return SSL_get_cipher(conn->ssl);
- /*
- * SSL compression is disabled, so even if connecting to an older server
- * which still supports it, it will not be active.
- */
if (strcmp(attribute_name, "compression") == 0)
- return "off";
+ return SSL_get_current_compression(conn->ssl) ? "on" : "off";
if (strcmp(attribute_name, "protocol") == 0)
return SSL_get_version(conn->ssl);
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0965c5ac511..adf149a76f9 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -358,6 +358,7 @@ struct pg_conn
char *keepalives_count; /* maximum number of TCP keepalive
* retransmits */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ char *sslcompression; /* SSL compression (0 or 1) */
char *sslkey; /* client key filename */
char *sslcert; /* client certificate filename */
char *sslpassword; /* client key file password */
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index ee97f6f0697..bfada03d3eb 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
}
else
{
- plan tests => 101;
+ plan tests => 100;
}
#### Some configuration
@@ -157,13 +157,6 @@ test_connect_fails(
qr/root certificate file "invalid" does not exist/,
"connect without server root cert sslmode=verify-full");
-# Test deprecated SSL parameters, still accepted for backwards
-# compatibility.
-test_connect_ok(
- $common_connstr,
- "sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
- "connect with deprecated connection parameters");
-
# Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.)
test_connect_fails($common_connstr,
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-23 04:56:46 +0000