| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | Andreas Karlsson <andreas(at)proxel(dot)se>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] GnuTLS support |
| Date: | 2018-01-30 02:16:56 |
| Message-ID: | 1f982a03-af86-e941-a303-acec52856ff3@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 1/28/18 23:43, Michael Paquier wrote:
> The comment at the top of PQinitSSL mentions OpenSSL, you may want to
> get rid of it as well.
I think that whole business is actually obsolete as of OpenSSL 1.1.0 and
not applicable to GnuTLS, so we might just leave it to die with some
appropriate documentation updates.
> To be honest, I find this refactoring confusing. As things stand on
> HEAD, fe-secure.c depends on the contents of fe-secure-openssl.c, and
> the dependency goes only in one direction. With your patch, you also
> make fe-secure-openssl.c call things within fe-secure.c. It seems to me
> that a cleaner split would be to introduce a common file for all the
> low-level routines like the two ones you are introducing here, say
> fe-secure-common.c. aND pq_verify_peer_name_matches_certificate_name and
> pq_verify_peer_name_matches_certificate should be moved to that.
I like that. Updated patch attached.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-Refactor-client-side-SSL-certificate-checking-cod.patch | text/plain | 18.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2018-01-30 02:24:18 | Re: [HACKERS] GnuTLS support |
| Previous Message | Craig Ringer | 2018-01-30 02:03:00 | Re: JIT compiling with LLVM v9.1 |