From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | Andreas Karlsson <andreas(at)proxel(dot)se>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Cc: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] GnuTLS support |
Date: | 2018-01-17 17:30:16 |
Message-ID: | b91b8eb6-4dda-45d1-5aa1-1a40b127dcf4@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 1/2/18 10:35, Peter Eisentraut wrote:
> On 11/26/17 20:05, Andreas Karlsson wrote:
>> I have now implemented this in the attached patch (plus added support
>> for channel binding and rebased it) but I ran into one issue which I
>> have not yet solved. The script for the windows version takes the
>> --with-openssl=<path> switch so that cannot just be translated to a
>> single --with-ssl switch. Should to have both --with-openssl and
>> --with-gnutls or --with-ssl=(openssl|gnutls) and --with-ssl-path=<path>?
>> I also do not know the Windows build code very well (or really at all).
>
> This patch appears to work well.
Seeing that Andres is apparently currently not available, I have started
to dig through this patch myself and made some adjustments.
Question for the group: We currently have a number of config settings
named ssl_*. Some of these are specific to OpenSSL, some are not, namely:
# general
ssl
ssl_dh_params_file
ssl_cert_file
ssl_key_file
ssl_ca_file
ssl_crl_file
# OpenSSL
ssl_ciphers
ssl_prefer_server_ciphers
ssl_ecdh_curve
# GnuTLS (proposed)
gnutls_priorities
(effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers)
Should we rename the OpenSSL-specific settings to openssl_*?
It think it would be better for clarity, and they are not set very
commonly, so the user impact would be low.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | David Pereiro Lagares | 2018-01-17 17:34:54 | Index-only scan returns incorrect results when using a composite GIST index with a gist_trgm_ops column. |
Previous Message | Peter Geoghegan | 2018-01-17 17:27:10 | Re: [HACKERS] Parallel tuplesort (for parallel B-Tree index creation) |