diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index f17f3b6c29..0649b6b81c 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -163,11 +163,11 @@ ALTER SERVER testserver1 OPTIONS (
keepalives_interval 'value',
tcp_user_timeout 'value',
-- requiressl 'value',
+ sslcompression 'value',
sslmode 'value',
sslcert 'value',
sslkey 'value',
sslrootcert 'value',
- sslcompression 'value',
sslcrl 'value',
--requirepeer 'value',
krbsrvname 'value',
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index be5618f759..2b525ea44a 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -177,11 +177,11 @@ ALTER SERVER testserver1 OPTIONS (
keepalives_interval 'value',
tcp_user_timeout 'value',
-- requiressl 'value',
+ sslcompression 'value',
sslmode 'value',
sslcert 'value',
sslkey 'value',
sslrootcert 'value',
- sslcompression 'value',
sslcrl 'value',
--requirepeer 'value',
krbsrvname 'value',
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 2e0c06102e..910e9a81ea 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1640,7 +1640,26 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
sslcompression
- Ignored (formerly, this specified whether to attempt SSL compression).
+ If set to 1, data sent over SSL connections will be compressed. If
+ set to 0, compression will be disabled. The default is 0. This
+ parameter is ignored if a connection without SSL is made.
+
+
+
+ SSL compression is nowadays considered insecure and its use is no
+ longer recommended. OpenSSL 1.1.0 disables
+ compression by default, and many operating system distributions
+ disable it in prior versions as well, so setting this parameter to on
+ will not have any effect if the server does not accept compression.
+ PostgreSQL 14 disables compression
+ completely in the backend.
+
+
+
+ If security is not a primary concern, compression can improve
+ throughput if the network is the bottleneck. Disabling compression
+ can improve response time and throughput if CPU performance is the
+ limiting factor.
@@ -2533,7 +2552,9 @@ const char *PQsslAttribute(const PGconn *conn, const char *attribute_name);
compression
- SSL compression is no longer supported, always returns "off".
+ If SSL compression is in use, returns the name of the compression
+ algorithm, or "on" if compression is used but the algorithm is
+ not known. If compression is not in use, returns "off".
@@ -7168,6 +7189,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
+
+
+
+ PGSSLCOMPRESSION
+
+ PGSSLCOMPRESSION behaves the same as the connection parameter.
+
+
+
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 8d6970a4f3..c98e3d31d0 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -3509,6 +3509,7 @@ printSSLInfo(void)
const char *protocol;
const char *cipher;
const char *bits;
+ const char *compression;
if (!PQsslInUse(pset.db))
return; /* no SSL */
@@ -3516,11 +3517,13 @@ printSSLInfo(void)
protocol = PQsslAttribute(pset.db, "protocol");
cipher = PQsslAttribute(pset.db, "cipher");
bits = PQsslAttribute(pset.db, "key_bits");
+ compression = PQsslAttribute(pset.db, "compression");
- printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"),
+ printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"),
protocol ? protocol : _("unknown"),
cipher ? cipher : _("unknown"),
- bits ? bits : _("unknown"));
+ bits ? bits : _("unknown"),
+ (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
}
/*
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index aeb64c5bca..29054bad7b 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -275,12 +275,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */
offsetof(struct pg_conn, sslmode)},
- /*
- * "sslcompression" is no longer used, but keep it present for backwards
- * compatibility.
- */
- {"sslcompression", NULL, NULL, NULL,
- "SSL-Compression", "", 1, -1},
+ {"sslcompression", "PGSSLCOMPRESSION", "0", NULL,
+ "SSL-Compression", "", 1,
+ offsetof(struct pg_conn, sslcompression)},
{"sslcert", "PGSSLCERT", NULL, NULL,
"SSL-Client-Cert", "", 64,
@@ -4054,6 +4051,8 @@ freePGconn(PGconn *conn)
free(conn->sslcrl);
if (conn->sslcrldir)
free(conn->sslcrldir);
+ if (conn->sslcompression)
+ free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
if (conn->ssl_min_protocol_version)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c88dd3a118..0fa10a23b4 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1257,8 +1257,13 @@ initialize_SSL(PGconn *conn)
if (have_rootcert)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
- /* disable SSL compression */
- SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+ /*
+ * Set compression option if necessary.
+ */
+ if (conn->sslcompression && conn->sslcompression[0] == '0')
+ SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
return 0;
}
@@ -1548,12 +1553,8 @@ PQsslAttribute(PGconn *conn, const char *attribute_name)
if (strcmp(attribute_name, "cipher") == 0)
return SSL_get_cipher(conn->ssl);
- /*
- * SSL compression is disabled, so even if connecting to an older server
- * which still supports it, it will not be active.
- */
if (strcmp(attribute_name, "compression") == 0)
- return "off";
+ return SSL_get_current_compression(conn->ssl) ? "on" : "off";
if (strcmp(attribute_name, "protocol") == 0)
return SSL_get_version(conn->ssl);
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0965c5ac51..adf149a76f 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -358,6 +358,7 @@ struct pg_conn
char *keepalives_count; /* maximum number of TCP keepalive
* retransmits */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ char *sslcompression; /* SSL compression (0 or 1) */
char *sslkey; /* client key filename */
char *sslcert; /* client certificate filename */
char *sslpassword; /* client key file password */
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index ee97f6f069..bfada03d3e 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
}
else
{
- plan tests => 101;
+ plan tests => 100;
}
#### Some configuration
@@ -157,13 +157,6 @@ test_connect_fails(
qr/root certificate file "invalid" does not exist/,
"connect without server root cert sslmode=verify-full");
-# Test deprecated SSL parameters, still accepted for backwards
-# compatibility.
-test_connect_ok(
- $common_connstr,
- "sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1",
- "connect with deprecated connection parameters");
-
# Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.)
test_connect_fails($common_connstr,