| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches |
| Date: | 2007-05-01 21:16:28 |
| Message-ID: | 200705011416.29041.josh@agliodbs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom,
> And even more curious to see you defend that offhanded bashing of
> OpenSSL, a tool a whole lot of people (including me) depend on all day
> every day. If Postgres had the market penetration of OpenSSL, our lives
> would be a lot different. Have you got even a shred of evidence that
> GSSAPI is more stable than OpenSSL?
Short answer:
Existing Kerberos libs with GSSAPI may have the same issues; I don't know.
What I was speaking in favor of was having several encryption mechanisms
available so that at least one of them would be available on the user's
system at installation time. For that matter, I think we should support
Gnu-TLS if someone offers us a patch.
Long Answer:
I've been dealing with OpenSSL binary incompatibility issues for the last
few Solaris builds and it's made me very unhappy with the
upgrade/versioning/linking of OpenSSL, and explained a lot of issues I've
had around using OpenSSL with PostgreSQL and Apache previously. That is,
0.9.8 isn't always backwards compatible to 0.9.7 or 0.9.6, making
applications built against one version of OpenSSL not necessarily portable
or easily upgraded, and causing a lot of installation-related pain.
(yes, I know this describes PostgreSQL as well. People complain about it
all the time to us, and they're right)
When you combine that with the platform providers (like Novell, Sun and RH)
treating OpenSSL as if there were no upgrade issues (even though there
are), or being version-specific but not providing packages for other
versions, you end up with a situation where a lot of users can't actually
use OpenSSL on their system without ripping out a bunch of libraries and
replacing them with compatible versions. I've had this issue on SuSE,
Solaris, and OSX at different times.
The OpenSSL team appears to be is very aware of these issues, which is why
Richard Levitte started the OpenTLS project (www.opentls.org) as a
successor to OpenSSL, where the issues are apparently insoluable
9http://marc.info/?l=openssl-dev&m=113042556401979&w=2). OpenSSL has also
added a stronger EVP_API and some versioning of symbols in the most recent
release, but that won't help most of our users for a while until 0.9.6 and
0.9.7 dissapear from userspace.
Also, last I checked OpenSSL didn't ship with Windows and Kerberos
encryption did.
--
--Josh
Josh Berkus
PostgreSQL @ Sun
San Francisco
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Henry B. Hotz | 2007-05-01 21:28:16 | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches |
| Previous Message | Simon Riggs | 2007-05-01 21:12:07 | NO INHERIT |