[PATCH] Add support for GnuTLS

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: pgsql-patches(at)postgresql(dot)org
Subject: [PATCH] Add support for GnuTLS
Date: 2006-05-04 13:48:07
Message-ID: 20060504134807.GK4752@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-patches

This patch does the following:

- Provide GnuTLS support beside OpenSSL in both the frontend and
backend. Which is used is decided by the configure options
--with-openssl and --with-gnutls. They are mutually exclusive.

- When psql starts up the message has been altered to include details
about the library. For example either of:

SSL connection established: GnuTLS (version 1.0.16), encryption DHE_RSA_AES_256_CBC_SHA
SSL connection established: OpenSSL (version OpenSSL 0.9.7e 25 Oct 2004), encryption DHE-RSA-AES256-SHA

- psql is now SSL library agnostic. It can display the above info
whether or not the SSL library was available at compile time. All
that matters is what the libpq library was compiled against.

- Provides a new function in libpq called PQgettlsinfo(). This returns
a resultset containing the most useful details of the SSL connection,
if any.

- A new command has been added to psql, \ssl, which displays all the
information available via PQgettlsinfo().

- Provides a new function in libpq called PQsetPassthrough(). Once this
function has been called on an idle connection, its state changes to
CONNECTION_PASSTHROUGH. The usual query functions PQsend*, PQexec*,
PQconsumeinput and others are blocked. All further communication must
be by the user via the send/receive functions given. The only way to
undo this is via PQreset or PQfinish.

Backward compatability issues:

- Applications using libpq to establish the connection and then
reading/writing the socket directly may have unexpected results if
the client is compiled against GnuTLS. The prior versions of libpq
provided no way of identifying the SSL library is use. However, they
will *not* crash.

These applications have two options. They can use the new
PQgettlsinfo() to determine which library libpq is using. They can
then elect to disable SSL support via the sslmode option to avoid the
issue. Alternately, they can use the new PQsetPassthough() function
to retreive the necessary information to communicate directly.

In the latter case, the application does not need to check the
library in use, libpq will work transparently for all possibilities.

Documentation will be provided assuming the above is considered
satisfactory for inclusion without major changes.

The attached diff does not include the diff of "configure" because I'm
evidently running a different version and result was 200KB of useless
stuff. The full patch is available here:


Just running autoconf on the local machine should also work.

Have a nice day,
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Attachment Content-Type Size
gnutls.patch text/plain 153.8 KB


Browse pgsql-patches by date

  From Date Subject
Next Message Fabien COELHO 2006-05-04 15:10:11 cast bytea to/from bit strings
Previous Message Martijn van Oosterhout 2006-05-04 10:43:47 [PATCH] Have configure complain about unknown options