Re: TODO: GNU TLS

Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Robert Treat wrote:
> > > given options like --enable-dtrace and --with-libedit-preferred, I don't find
> > > this argument compelling...
> >
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete. Doing this for another
> > library, I am afraid, isn't trivial, unlike the above options.
>
> Uhh, I have no idea where you got the idea that our current OpenSSL
> support is anywhere near 100% feature complete for an SSL
> implementation. It's certainly not, and we've been over that
> previously...

My point was that in the past our SSL implementation had known problems,
and only people appearing randomly seemed to be able to fix them, e.g.
"Bear" was one of them. I have not seen any major complaints recently,
so I feel we at least have acceptable SSL support, but it took years.
Typically, some SSL export would appear, say there was something wrong
with our SSL code, say he didn't have time to fix it, and disappear. I
would then chase him around and maybe get a patch from him for a few of
the problems he found (but not all of them).

I had to stuble together a Certificate Revocation List (CRL) patch for
8.2 from soneone's posted patch. I didn't even know what CRL was, and
got no feedback from the community, so I had to figure it out myself to
get it into CVS (for server and client sides) and documented.

If I couldn't get community help for getting a patch documented for 8.2,
what help are we going to get to maintain two ways of doing SSL?

For some reason, SSL seems to have more black magic than other
libraries.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +