Re: [HACKERS] GnuTLS support

From: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
To: Andreas Karlsson <andreas(at)proxel(dot)se>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
Cc: Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] GnuTLS support
Date: 2018-01-17 17:30:16
Message-ID: b91b8eb6-4dda-45d1-5aa1-1a40b127dcf4@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers

On 1/2/18 10:35, Peter Eisentraut wrote:
> On 11/26/17 20:05, Andreas Karlsson wrote:
>> I have now implemented this in the attached patch (plus added support
>> for channel binding and rebased it) but I ran into one issue which I
>> have not yet solved. The script for the windows version takes the
>> --with-openssl=<path> switch so that cannot just be translated to a
>> single --with-ssl switch. Should to have both --with-openssl and
>> --with-gnutls or --with-ssl=(openssl|gnutls) and --with-ssl-path=<path>?
>> I also do not know the Windows build code very well (or really at all).
>
> This patch appears to work well.

Seeing that Andres is apparently currently not available, I have started
to dig through this patch myself and made some adjustments.

Question for the group: We currently have a number of config settings
named ssl_*. Some of these are specific to OpenSSL, some are not, namely:

# general
ssl
ssl_dh_params_file
ssl_cert_file
ssl_key_file
ssl_ca_file
ssl_crl_file

# OpenSSL
ssl_ciphers
ssl_prefer_server_ciphers
ssl_ecdh_curve

# GnuTLS (proposed)
gnutls_priorities
(effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers)

Should we rename the OpenSSL-specific settings to openssl_*?

It think it would be better for clarity, and they are not set very
commonly, so the user impact would be low.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message David Pereiro Lagares 2018-01-17 17:34:54 Index-only scan returns incorrect results when using a composite GIST index with a gist_trgm_ops column.
Previous Message Peter Geoghegan 2018-01-17 17:27:10 Re: [HACKERS] Parallel tuplesort (for parallel B-Tree index creation)