Re: [HACKERS] GnuTLS support

On 1/2/18 10:35, Peter Eisentraut wrote:
> On 11/26/17 20:05, Andreas Karlsson wrote:
>> I have now implemented this in the attached patch (plus added support
>> for channel binding and rebased it) but I ran into one issue which I
>> have not yet solved. The script for the windows version takes the
>> --with-openssl=<path> switch so that cannot just be translated to a
>> single --with-ssl switch. Should to have both --with-openssl and
>> --with-gnutls or --with-ssl=(openssl|gnutls) and --with-ssl-path=<path>?
>> I also do not know the Windows build code very well (or really at all).
>
> This patch appears to work well.

Seeing that Andres is apparently currently not available, I have started
to dig through this patch myself and made some adjustments.

Question for the group: We currently have a number of config settings
named ssl_*. Some of these are specific to OpenSSL, some are not, namely:

# general
ssl
ssl_dh_params_file
ssl_cert_file
ssl_key_file
ssl_ca_file
ssl_crl_file

# OpenSSL
ssl_ciphers
ssl_prefer_server_ciphers
ssl_ecdh_curve

# GnuTLS (proposed)
gnutls_priorities
(effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers)

Should we rename the OpenSSL-specific settings to openssl_*?

It think it would be better for clarity, and they are not set very
commonly, so the user impact would be low.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services