public inbox for [email protected]
help / color / mirror / Atom feed[PATCH 04/10] wal_compression_method: default to zlib..
8+ messages / 5 participants
[nested] [flat]
* [PATCH 04/10] wal_compression_method: default to zlib..
@ 2021-03-11 23:36 Justin Pryzby <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Justin Pryzby @ 2021-03-11 23:36 UTC (permalink / raw)
this is meant to exercise the CIs, and not meant to be merged
---
src/backend/access/transam/xlog.c | 2 +-
src/backend/utils/misc/guc.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 0183589b4d..8bae73b4ec 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -99,7 +99,7 @@ bool EnableHotStandby = false;
bool fullPageWrites = true;
bool wal_log_hints = false;
bool wal_compression = false;
-int wal_compression_method = WAL_COMPRESSION_PGLZ;
+int wal_compression_method = WAL_COMPRESSION_ZLIB;
char *wal_consistency_checking_string = NULL;
bool *wal_consistency_checking = NULL;
bool wal_init_zero = true;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 8084027465..c37a8313d3 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -1269,7 +1269,7 @@ static struct config_bool ConfigureNamesBool[] =
NULL
},
&wal_compression,
- false,
+ true,
NULL, NULL, NULL
},
@@ -4728,7 +4728,7 @@ static struct config_enum ConfigureNamesEnum[] =
NULL
},
&wal_compression_method,
- WAL_COMPRESSION_PGLZ, wal_compression_options,
+ WAL_COMPRESSION_ZLIB, wal_compression_options,
NULL, NULL, NULL
},
--
2.17.0
--0qVF/w3MHQqLSynd
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment;
filename="0005-re-add-wal_compression_method-lz4.patch"
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
@ 2024-06-18 13:11 Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Daniel Gustafsson @ 2024-06-18 13:11 UTC (permalink / raw)
To: Andres Freund <[email protected]>; +Cc: pgsql-hackers
> On 17 Jun 2024, at 19:38, Andres Freund <[email protected]> wrote:
> Note the second to last paragraph: Because we use SSL_OP_NO_TICKET we trigger
> use of stateful tickets. Which afaict are never going to be useful, because we
> don't share the necessary state.
Nice catch, I learned something new today. I was under the impression that the
flag turned of all tickets but clearly not.
> I guess openssl really could have inferred this from the fact that we *do*
> call SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_OFF), b
Every day with the OpenSSL API is an adventure.
> Seems we ought to use SSL_CTX_set_num_tickets() to prevent issuing the useless
> tickets?
Agreed, in 1.1.1 and above as the API was only introduced then. LibreSSL added
the API in 3.5.4 but only for compatibility since it doesn't support TLS
tickets at all.
> It seems like a buglet in openssl that it forces each session tickets to be
> sent in its own packet (it does an explicit BIO_flush(), so even if we
> buffered between openssl and OS, as I think we should, we'd still send it
> separately), but I don't really understand most of this stuff.
I don't see anything in the RFCs so not sure.
The attached applies this, and I think this is backpatching material since we
arguably fail to do what we say in the code. AFAIK we don't have a hard rule
against backpatching changes to autoconf/meson?
--
Daniel Gustafsson
Attachments:
[application/octet-stream] v1-0001-Disable-all-TLS-session-tickets.patch (4.1K, ../../[email protected]/2-v1-0001-Disable-all-TLS-session-tickets.patch)
download | inline diff:
From 5c21ebe072d1c877d7fe8f676879b9a8af76eb1c Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Tue, 18 Jun 2024 14:50:39 +0200
Subject: [PATCH v1] Disable all TLS session tickets
OpenSSL supports two types of session tickets for TLSv1.3, stateless
and stateful. The option we've used only turns off stateless tickets
leaving stateful tickets active. Use the new API introduced in 1.1.1
to disable all types of tickets.
Reported-by: Andres Freund <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
configure | 9 +++++----
configure.ac | 2 +-
meson.build | 1 +
src/backend/libpq/be-secure-openssl.c | 14 +++++++++++++-
src/include/pg_config.h.in | 3 +++
5 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/configure b/configure
index 7b03db56a6..519a2e5ce6 100755
--- a/configure
+++ b/configure
@@ -12591,12 +12591,13 @@ fi
done
# Function introduced in OpenSSL 1.1.1.
- for ac_func in X509_get_signature_info
+ for ac_func in X509_get_signature_info SSL_CTX_set_num_tickets
do :
- ac_fn_c_check_func "$LINENO" "X509_get_signature_info" "ac_cv_func_X509_get_signature_info"
-if test "x$ac_cv_func_X509_get_signature_info" = xyes; then :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_X509_GET_SIGNATURE_INFO 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
diff --git a/configure.ac b/configure.ac
index 63e7be3847..6e28c2d04c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1358,7 +1358,7 @@ if test "$with_ssl" = openssl ; then
# function was removed.
AC_CHECK_FUNCS([CRYPTO_lock])
# Function introduced in OpenSSL 1.1.1.
- AC_CHECK_FUNCS([X509_get_signature_info])
+ AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])
elif test "$with_ssl" != no ; then
AC_MSG_ERROR([--with-ssl must specify openssl])
diff --git a/meson.build b/meson.build
index 2767abd19e..e21f88b529 100644
--- a/meson.build
+++ b/meson.build
@@ -1293,6 +1293,7 @@ if sslopt in ['auto', 'openssl']
# Function introduced in OpenSSL 1.1.1
['X509_get_signature_info'],
+ ['SSL_CTX_set_num_tickets'],
]
are_openssl_funcs_complete = true
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 39b1a66236..d257b93104 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -258,8 +258,20 @@ be_tls_init(bool isServerStart)
}
}
- /* disallow SSL session tickets */
+ /*
+ * Disallow SSL session tickets. OpenSSL use both stateful and stateless
+ * tickets for TLSv1.3, and stateless ticket for TLSv1.2. SSL_OP_NO_TICKET
+ * is available since 1.0.0 but only turns off stateless tickets. In order
+ * to turn off stateful tickets we also need SSL_CTX_set_num_tickets, which
+ * is available since OpenSSL 1.1.1. LibreSSL 3.5.4 (from OpenBSD 7.1)
+ * introduced this API for compatibility, but doesn't support session
+ * tickets at all so it's a no-op there.
+ */
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+ SSL_CTX_set_num_tickets(context, 0);
+#else
SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
+#endif
/* disallow SSL session caching, too */
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index f8d3e3b6b8..e2834912f8 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -510,6 +510,9 @@
/* Define to 1 if you have the `X509_get_signature_info' function. */
#undef HAVE_X509_GET_SIGNATURE_INFO
+/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
+#undef HAVE_SSL_CTX_SET_NUM_TICKETS
+
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
#undef HAVE_X86_64_POPCNTQ
--
2.39.3 (Apple Git-146)
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
@ 2024-07-24 05:44 ` Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Heikki Linnakangas @ 2024-07-24 05:44 UTC (permalink / raw)
To: Daniel Gustafsson <[email protected]>; Andres Freund <[email protected]>; +Cc: pgsql-hackers
On 18/06/2024 16:11, Daniel Gustafsson wrote:
>> On 17 Jun 2024, at 19:38, Andres Freund <[email protected]> wrote:
>> Seems we ought to use SSL_CTX_set_num_tickets() to prevent issuing the useless
>> tickets?
>
> Agreed, in 1.1.1 and above as the API was only introduced then. LibreSSL added
> the API in 3.5.4 but only for compatibility since it doesn't support TLS
> tickets at all.
Wow, that's a bizarre API. The OpenSSL docs are not clear on what the
possible values for SSL_CTX_set_num_tickets() are. It talks about 0, and
mentions that 2 is the default, but what does it mean to set it to 1, or
5, for example?
Anyway, it's pretty clear that SSL_CTX_set_num_tickets(0) can be used to
disable tickets, so that's fine.
>> It seems like a buglet in openssl that it forces each session tickets to be
>> sent in its own packet (it does an explicit BIO_flush(), so even if we
>> buffered between openssl and OS, as I think we should, we'd still send it
>> separately), but I don't really understand most of this stuff.
>
> I don't see anything in the RFCs so not sure.
>
> The attached applies this, and I think this is backpatching material since we
> arguably fail to do what we say in the code. AFAIK we don't have a hard rule
> against backpatching changes to autoconf/meson?
Looks good to me. Backpatching autoconf/meson changes is fine, we've
done it before.
--
Heikki Linnakangas
Neon (https://neon.tech)
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
@ 2024-07-26 11:55 ` Daniel Gustafsson <[email protected]>
2024-07-26 12:03 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
2024-07-29 20:08 ` Re: tls 1.3: sending multiple tickets Andres Freund <[email protected]>
0 siblings, 2 replies; 8+ messages in thread
From: Daniel Gustafsson @ 2024-07-26 11:55 UTC (permalink / raw)
To: Heikki Linnakangas <[email protected]>; +Cc: Andres Freund <[email protected]>; pgsql-hackers
> On 24 Jul 2024, at 07:44, Heikki Linnakangas <[email protected]> wrote:
>
> On 18/06/2024 16:11, Daniel Gustafsson wrote:
>>> On 17 Jun 2024, at 19:38, Andres Freund <[email protected]> wrote:
>>> Seems we ought to use SSL_CTX_set_num_tickets() to prevent issuing the useless
>>> tickets?
>> Agreed, in 1.1.1 and above as the API was only introduced then. LibreSSL added
>> the API in 3.5.4 but only for compatibility since it doesn't support TLS
>> tickets at all.
>
> Wow, that's a bizarre API. The OpenSSL docs are not clear on what the possible values for SSL_CTX_set_num_tickets() are. It talks about 0, and mentions that 2 is the default, but what does it mean to set it to 1, or 5, for example?
It means that 1 or 5 tickets can be sent to the user, OpenSSL accepts an
arbitrary number of tickets (tickets can be issued at other points during the
connection than the handshake AFAICT).
> Anyway, it's pretty clear that SSL_CTX_set_num_tickets(0) can be used to disable tickets, so that's fine.
>
>>> It seems like a buglet in openssl that it forces each session tickets to be
>>> sent in its own packet (it does an explicit BIO_flush(), so even if we
>>> buffered between openssl and OS, as I think we should, we'd still send it
>>> separately), but I don't really understand most of this stuff.
>> I don't see anything in the RFCs so not sure.
>> The attached applies this, and I think this is backpatching material since we
>> arguably fail to do what we say in the code. AFAIK we don't have a hard rule
>> against backpatching changes to autoconf/meson?
>
> Looks good to me. Backpatching autoconf/meson changes is fine, we've done it before.
Thanks for review, I've applied this backpatched all the way.
--
Daniel Gustafsson
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
@ 2024-07-26 12:03 ` Marina Polyakova <[email protected]>
2024-07-26 12:27 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
1 sibling, 1 reply; 8+ messages in thread
From: Marina Polyakova @ 2024-07-26 12:03 UTC (permalink / raw)
To: Daniel Gustafsson <[email protected]>; +Cc: Heikki Linnakangas <[email protected]>; Andres Freund <[email protected]>; pgsql-hackers
Hello!
On 2024-07-26 14:55, Daniel Gustafsson wrote:
> Thanks for review, I've applied this backpatched all the way.
It looks like the recommended way of using autoheader [1] is now broken.
The attached patch fixes the master branch for me.
[1]
https://www.postgresql.org/message-id/30511.1546097762%40sss.pgh.pa.us
--
Marina Polyakova
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company
Attachments:
[text/x-diff] diff_fix_autoheader.patch (882B, ../../[email protected]/2-diff_fix_autoheader.patch)
download | inline diff:
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index db3fcbecc3ab33c8593eeb4a6d2927f674e2f684..3dea3856aaf06a3c59a77cc46e76b6d6efd5f88c 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -388,6 +388,9 @@
/* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */
#undef HAVE_SSL_CTX_SET_CERT_CB
+/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
+#undef HAVE_SSL_CTX_SET_NUM_TICKETS
+
/* Define to 1 if stdbool.h conforms to C99. */
#undef HAVE_STDBOOL_H
@@ -517,9 +520,6 @@
/* Define to 1 if you have the `X509_get_signature_info' function. */
#undef HAVE_X509_GET_SIGNATURE_INFO
-/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
-#undef HAVE_SSL_CTX_SET_NUM_TICKETS
-
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
#undef HAVE_X86_64_POPCNTQ
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-26 12:03 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
@ 2024-07-26 12:27 ` Daniel Gustafsson <[email protected]>
2024-07-26 12:47 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Daniel Gustafsson @ 2024-07-26 12:27 UTC (permalink / raw)
To: Marina Polyakova <[email protected]>; +Cc: Heikki Linnakangas <[email protected]>; Andres Freund <[email protected]>; pgsql-hackers
> On 26 Jul 2024, at 14:03, Marina Polyakova <[email protected]> wrote:
> On 2024-07-26 14:55, Daniel Gustafsson wrote:
>> Thanks for review, I've applied this backpatched all the way.
>
> It looks like the recommended way of using autoheader [1] is now broken. The attached patch fixes the master branch for me.
Thanks for the report, I'll fix it. Buildfarm animal hamerkop also reminded me
that I had managed to stash the old MSVC buildsystem changes (ENOTENOUGHCOFFEE)
so fixing that at the same time.
--
Daniel Gustafsson
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-26 12:03 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
2024-07-26 12:27 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
@ 2024-07-26 12:47 ` Marina Polyakova <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Marina Polyakova @ 2024-07-26 12:47 UTC (permalink / raw)
To: Daniel Gustafsson <[email protected]>; +Cc: Heikki Linnakangas <[email protected]>; Andres Freund <[email protected]>; pgsql-hackers
On 2024-07-26 15:27, Daniel Gustafsson wrote:
>> On 26 Jul 2024, at 14:03, Marina Polyakova
>> <[email protected]> wrote:
>> It looks like the recommended way of using autoheader [1] is now
>> broken. The attached patch fixes the master branch for me.
>
> Thanks for the report, I'll fix it. Buildfarm animal hamerkop also
> reminded me
> that I had managed to stash the old MSVC buildsystem changes
> (ENOTENOUGHCOFFEE)
> so fixing that at the same time.
Thank you!
--
Marina Polyakova
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: tls 1.3: sending multiple tickets
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
@ 2024-07-29 20:08 ` Andres Freund <[email protected]>
1 sibling, 0 replies; 8+ messages in thread
From: Andres Freund @ 2024-07-29 20:08 UTC (permalink / raw)
To: Daniel Gustafsson <[email protected]>; +Cc: Heikki Linnakangas <[email protected]>; pgsql-hackers
On 2024-07-26 13:55:29 +0200, Daniel Gustafsson wrote:
> Thanks for review, I've applied this backpatched all the way.
Thanks for working on this!
^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2024-07-29 20:08 UTC | newest]
Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 23:36 [PATCH 04/10] wal_compression_method: default to zlib.. Justin Pryzby <[email protected]>
2024-06-18 13:11 Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-24 05:44 ` Re: tls 1.3: sending multiple tickets Heikki Linnakangas <[email protected]>
2024-07-26 11:55 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-26 12:03 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
2024-07-26 12:27 ` Re: tls 1.3: sending multiple tickets Daniel Gustafsson <[email protected]>
2024-07-26 12:47 ` Re: tls 1.3: sending multiple tickets Marina Polyakova <[email protected]>
2024-07-29 20:08 ` Re: tls 1.3: sending multiple tickets Andres Freund <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox