Re: Support for NSS as a libpq TLS backend

On Fri, Jan 29, 2021 at 02:13:30PM +0100, Daniel Gustafsson wrote:
> I'm still not convinced that adding --with-ssl=openssl is worth it before the
> rest of NSS goes in (and more importantly, *if* it goes in).
>
> On the one hand, we already have pluggable (for some value of) support for
> adding TLS libraries, and adding --with-ssl is one more piece of that puzzle.
> We could of course have endless --with-X options instead but as you say,
> --with-uuid has set the tone here (and I believe that's good). On the other
> hand, if we never add any other library than OpenSSL then it's just complexity
> without benefit.

IMO, one could say the same thing for any piece of refactoring we have
done in the past to make the TLS/crypto code more modular. There is
demand for being able to choose among multiple SSL libs at build time,
and we are still in a phase where we evaluate the options at hand.
This refactoring is just careful progress, and this is one step in
this direction. The piece about refactoring the SSL tests is
similar.

> As mentioned elsewhere in the thread, the current v23 patchset has the
> --with-ssl change as a separate commit to at least make it visual what it looks
> like. The documentation changes are in the main NSS patch though since
> documenting --with-ssl when there is only one possible value didn't seem to be
> helpful to users whom are fully expected to use --with-openssl still.

The documentation changes should be part of the patch introducing the
switch IMO: a description of the new switch, as well as a paragraph
about the old value being deprecated. That's done this way for UUID.
--
Michael