On Wed, Feb 16, 2011 at 04:33:19PM -0800, Joshua D. Drake wrote: > Maybe we really should consider moving to NSS insread? > > http://www.mozilla.org/projects/security/pki/nss/ > > If it solves the license problem, it is well supported etc..
For the record, which library you choose only matters for a fairly small (and easy) part of the patch. Changing libpq to be SSL library agnostic is more work. For the people who aren't following, the issue is there are libraries out there that use libpq to setup the connection to the postgres server (so handing all authentication, et al) and then stealing the FD and implementing the rest of the protocol themselves. This is supported. Where it goes wonky is that this also has to work when the connection is via SSL. So libpq provides a function to return (via a void*) a pointer to the OpenSSL structure so that can be used to communicate with the server. As you can imagine, unless the library you use is *binary* compatable with OpenSSL, you're kinda stuck. The idea I suggested way back was to introduce a passthrough mode which would hide all the connection details within libpq, simplifying the code on both sides. Then after a few releases you could remove the old code and change the SSL library at leasure. I guess the painless option however is no longer available. Have a nice day, -- Martijn van Oosterhout <klep...@svana.org> http://svana.org/kleptog/ > Patriotism is when love of your own people comes first; nationalism, > when hate for people other than your own comes first. > - Charles de Gaulle
signature.asc
Description: Digital signature