| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
| Cc: | Andrew Chernow <ac(at)esilo(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PQinitSSL broken in some use casesf |
| Date: | 2009-02-10 15:18:14 |
| Message-ID: | 49919AB6.4020501@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Merlin Moncure wrote:
> On Tue, Feb 10, 2009 at 9:32 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>>> How we worked around it:
>>> We solved it by copying the SSL init sequence from fe-secure.c. Doesn't
>>> seem like something that would change very often. So we
>>> init_our_library(), PQinitSSL(0) and then do a few lines of SSL init stuff.
>> Seems unusual, but certainly not "nearly impossible". But we're back to
>> the discussions around the WSA code - our API provides no really good
>> place to do this, so perhaps we should just clearly document how it's
>> done and how to work around it?
>
> I'm not so sure that's appropriate in this case. I think the existing
> libpq behavior is simply wrong...crypto and ssl are two separate
> libraries and PQinitSSL does not expose the necessary detail. This is
> going to break apps in isolated but spectacular fashion when they link
> to both pq and crypto for different reasons.
They could, but nobody has reported it yet, so it's not a common scenario.
> maybe invent a special value to PQinitSSL for ssl only init?
We could do that, I guess. However, if an application passes this in to
an old version of libpq, there is no way to know that it didn't know
about it.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-02-10 15:39:47 | Re: PQinitSSL broken in some use casesf |
| Previous Message | Tom Lane | 2009-02-10 15:18:11 | Re: WIP: fix SET WITHOUT OIDS, add SET WITH OIDS |