| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | David Boreham <david_list(at)boreham(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, mark(at)mark(dot)mielke(dot)cc, Mark Kirkwood <markir(at)paradise(dot)net(dot)nz> |
| Subject: | Re: TODO: GNU TLS |
| Date: | 2007-01-02 19:59:05 |
| Message-ID: | 20070102195905.GB26202@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jan 02, 2007 at 01:29:35PM -0500, Stephen Frost wrote:
> Would a patch to implement dual-support for OpenSSL and NSS be
> acceptable? Would just replacing OpenSSL support with NSS support be
When I was looking into this I looked at NSS, and eventually decided on
GnuTLS. Why? Because I read the GnuTLS documentation and I understood
it. The basic support for GnuTLS took a whole afternoon, the hard work
was leving people with the choice of using OpenSSL. I read the OpenSSL
docs too, but I still don't understand how it works properly.
IMHO, GnuTLS has the advantage if being designed later which means
details like:
- Thread safety (GnuTLS is thread-safe by design, no locks needed)
- Proper layering (creating your own I/O function is trivial)
- Seperate namespace
- Non-blocking support from the get-go
were taken care of. Since people are citing maintainability as a
concern, I think you really have wonder whether NSS is a better
choice.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2007-01-02 20:01:34 | Re: TODO: GNU TLS |
| Previous Message | Bruce Momjian | 2007-01-02 19:51:27 | Re: TODO: GNU TLS |