| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Jacob Champion <pchampion(at)vmware(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2021-01-29 13:13:30 |
| Message-ID: | D644A03D-2247-493F-A1EB-FC174EF15940@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 29 Jan 2021, at 07:01, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>
> On Fri, Jan 29, 2021 at 12:20:21AM +0100, Daniel Gustafsson wrote:
>> SSL is admittedly an obsolete technical term, but it's one that enough people
>> have decided is interchangeable with TLS that it's not a hill worth dying on
>> IMHO. Since postgres won't allow for using libnss or OpenSSL for cryptohash
>> *without* compiling SSL/TLS support (used or not), I think --with-ssl=LIB is
>> more descriptive and less confusing.
>
> Okay, let's use --with-ssl then for the new switch name. The previous
> patch is backward-compatible, and will simplify the rest of the set,
> so let's move on with it. Once this is done, my guess is that it
> would be cleaner to have a new patch that includes only the
> ./configure and MSVC changes, and then the rest: test refactoring,
> cryptohash, strong random and lastly TLS (we may want to cut this a
> bit more though and perhaps have some restrictions depending on the
> scope of options a first patch set could support).
>
> I'll wait a bit first to see if there are any objections to this
> change.
I'm still not convinced that adding --with-ssl=openssl is worth it before the
rest of NSS goes in (and more importantly, *if* it goes in).
On the one hand, we already have pluggable (for some value of) support for
adding TLS libraries, and adding --with-ssl is one more piece of that puzzle.
We could of course have endless --with-X options instead but as you say,
--with-uuid has set the tone here (and I believe that's good). On the other
hand, if we never add any other library than OpenSSL then it's just complexity
without benefit.
As mentioned elsewhere in the thread, the current v23 patchset has the
--with-ssl change as a separate commit to at least make it visual what it looks
like. The documentation changes are in the main NSS patch though since
documenting --with-ssl when there is only one possible value didn't seem to be
helpful to users whom are fully expected to use --with-openssl still.
--
Daniel Gustafsson https://vmware.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2021-01-29 13:14:48 | Re: Dumping/restoring fails on inherited generated column |
| Previous Message | Daniel Gustafsson | 2021-01-29 12:57:02 | Re: Support for NSS as a libpq TLS backend |