Re: [PATCH] Add support for GnuTLS

This is a pretty massive patch, but I understand the license concerns.
Is this what we want to do?

FYI, yesterday's SSL CRL additions need to be added to this patch.

---------------------------------------------------------------------------

Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> This patch does the following:
>
> - Provide GnuTLS support beside OpenSSL in both the frontend and
> backend. Which is used is decided by the configure options
> --with-openssl and --with-gnutls. They are mutually exclusive.
>
> - When psql starts up the message has been altered to include details
> about the library. For example either of:
>
> SSL connection established: GnuTLS (version 1.0.16), encryption DHE_RSA_AES_256_CBC_SHA
> SSL connection established: OpenSSL (version OpenSSL 0.9.7e 25 Oct 2004), encryption DHE-RSA-AES256-SHA
>
> - psql is now SSL library agnostic. It can display the above info
> whether or not the SSL library was available at compile time. All
> that matters is what the libpq library was compiled against.
>
> - Provides a new function in libpq called PQgettlsinfo(). This returns
> a resultset containing the most useful details of the SSL connection,
> if any.
>
> - A new command has been added to psql, \ssl, which displays all the
> information available via PQgettlsinfo().
>
> - Provides a new function in libpq called PQsetPassthrough(). Once this
> function has been called on an idle connection, its state changes to
> CONNECTION_PASSTHROUGH. The usual query functions PQsend*, PQexec*,
> PQconsumeinput and others are blocked. All further communication must
> be by the user via the send/receive functions given. The only way to
> undo this is via PQreset or PQfinish.
>
> Backward compatability issues:
>
> - Applications using libpq to establish the connection and then
> reading/writing the socket directly may have unexpected results if
> the client is compiled against GnuTLS. The prior versions of libpq
> provided no way of identifying the SSL library is use. However, they
> will *not* crash.
>
> These applications have two options. They can use the new
> PQgettlsinfo() to determine which library libpq is using. They can
> then elect to disable SSL support via the sslmode option to avoid the
> issue. Alternately, they can use the new PQsetPassthough() function
> to retreive the necessary information to communicate directly.
>
> In the latter case, the application does not need to check the
> library in use, libpq will work transparently for all possibilities.
>
> Documentation will be provided assuming the above is considered
> satisfactory for inclusion without major changes.
>
> The attached diff does not include the diff of "configure" because I'm
> evidently running a different version and result was 200KB of useless
> stuff. The full patch is available here:
>
> http://svana.org/kleptog/temp/gnutls.patch
>
> Just running autoconf on the local machine should also work.
>
> Have a nice day,
> --
> Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> > From each according to his ability. To each according to his ability to litigate.

[ Attachment, skipping... ]
-- End of PGP section, PGP failed!

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +