Re: [PATCH] Automatic client certificate selection support for libpq v1

Seth Robertson <in-pgsql-hackers(at)baka(dot)org> writes:
> In message <8766(dot)1241799013(at)sss(dot)pgh(dot)pa(dot)us>, Tom Lane writes:
>> Hmm, shouldn't we fix *that* rather than inventing a hack like this?

> Basically doing this would probably become a project instead of a 5
> minute hack to support 80% of the functionality. I understand the
> desire to limit the number of hacks in the source code, though.

It's certainly possible that what you have done represents the best
available engineering tradeoff. But at this point it's too late for 8.4
and so we have quite a bit of time to think about it. I'd like to at
least consider alternative solutions before we choose this one.

BTW, I was reminded today that Fedora/Red Hat are hoping to standardize
all crypto-related functionality in their entire distro on the NSS
libraries:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation
This is a long way from fruition, but at some point we are going to be
faced with using a compatibility wrapper that sort of emulates openssl
(they are not even pretending it'll be 100% compatible). So I'm feeling
a bit leery of wiring in any additional dependence on details of openssl
functionality. I hesitate though to suggest that we think about porting
ourselves to NSS --- I'm not sure that there would be benefits to us
within the context of Postgres alone. Is anyone sufficiently up on the
different crypto libraries to comment on that?

regards, tom lane