Re: TODO: GNU TLS

On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete.
>
> Actually, it's *not* feature-complete even yet.

What's missing? I don't see anything on the TODO list relating to
this. If you wanted a GnuTLS patch that supported more features than
the OpenSSL one, you should have said so. Personally I would have
added:

- authentication using PGP keys
- anonymous DH (ie doing encryption, without authentication or
shared keys)

I refrained because I figured that would give it even less chance of
getting accepted.

Additionally the patch implemented:

- A command in psql so you could see the parameters of the SSL
connection
- A method by which other client libraries (say JDBC) could use the
authentication and encryption features of libpq, but implement the
query protocol themselves.

> What basically bothers me about this is that trying to support both the
> OpenSSL and GNUTLS APIs is going to be an enormous investment of
> development and maintenance effort, because it's such a nontrivial thing
> to use properly. It sticks in my craw to be doing that work for no
> technical reason, only a license-lawyering reason; and not even a
> license issue that everyone is convinced is real.

As author of the patch, I'm slightly dismayed people are getting so
hung up on the licence issue, when it was *not* the main motivation for
writing it.

And if there's features you want, put them on the todo list. I'm not
sure about Bruce's comment about it being so hard to get the OpenSSL
level of support we have, given PostgreSQL is not doing anything not
described in the example code.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.