Re: [HACKERS] GnuTLS support

From: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
To: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
Cc: Andreas Karlsson <andreas(at)proxel(dot)se>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] GnuTLS support
Date: 2018-01-30 02:16:56
Views: Raw Message | Whole Thread | Download mbox
Lists: pgsql-hackers

On 1/28/18 23:43, Michael Paquier wrote:
> The comment at the top of PQinitSSL mentions OpenSSL, you may want to
> get rid of it as well.

I think that whole business is actually obsolete as of OpenSSL 1.1.0 and
not applicable to GnuTLS, so we might just leave it to die with some
appropriate documentation updates.

> To be honest, I find this refactoring confusing. As things stand on
> HEAD, fe-secure.c depends on the contents of fe-secure-openssl.c, and
> the dependency goes only in one direction. With your patch, you also
> make fe-secure-openssl.c call things within fe-secure.c. It seems to me
> that a cleaner split would be to introduce a common file for all the
> low-level routines like the two ones you are introducing here, say
> fe-secure-common.c. aND pq_verify_peer_name_matches_certificate_name and
> pq_verify_peer_name_matches_certificate should be moved to that.

I like that. Updated patch attached.

Peter Eisentraut
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachment Content-Type Size
v2-0001-Refactor-client-side-SSL-certificate-checking-cod.patch text/plain 18.5 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2018-01-30 02:24:18 Re: [HACKERS] GnuTLS support
Previous Message Craig Ringer 2018-01-30 02:03:00 Re: JIT compiling with LLVM v9.1