Re: [HACKERS] GnuTLS support

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Dmitry Dolgov <9erthalion6(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Andreas Karlsson <andreas(at)proxel(dot)se>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] GnuTLS support
Date: 2018-11-29 23:00:40
Message-ID: 20181129230040.GS3415@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers

Greetings,

* Andres Freund (andres(at)anarazel(dot)de) wrote:
> On 2018-11-29 16:34:13 -0500, Tom Lane wrote:
> > Yeah, I was disappointed too. OpenSSL has had a squirrelly enough track
> > record that it'd be nice not to be totally dependent on it.
>
> GnuTLS seems, if anything, worse though. There's obviously good reasons
> to add support for TLS libraries that make it easier to use PG on
> certain platforms, but GnuTLS doesn't achieve that. So I don't think
> this is too sad.

There are very good reasons to give our users the option of different
TLS libraries, even if it's platforms where OpenSSL is also available,
for the reason Tom mentioned- OpenSSL hasn't had a terribly good track
record, and because there's been independent evaluation of different
libraries and OpenSSL doesn't top the list in those.

As such, I do believe it'd be good to have support for multiple
libraries, even on Linux or other platforms where OpenSSL is available.

Thanks!

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2018-11-29 23:03:00 Re: pg_config wrongly marked as not parallel safe?
Previous Message Stephen Frost 2018-11-29 22:56:30 Re: [HACKERS] GnuTLS support