Re: [HACKERS] TODO: GNU TLS

Sat, 30 Dec 2006 06:56:12 -0800 

* Martijn van Oosterhout (kleptog@svana.org) wrote:
> On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
> > Actually, it's *not* feature-complete even yet.
> 
> What's missing? I don't see anything on the TODO list relating to
> this. If you wanted a GnuTLS patch that supported more features than
> the OpenSSL one, you should have said so. Personally I would have
> added:
> 
> - authentication using PGP keys

This would be the big feature I think is missing from our current SSL
support.  I don't think it'd be terribly difficult to support with
either library (I think most of the work would be on the PG user auth
side, which would be useable by either).

> - anonymous DH (ie doing encryption, without authentication or
> shared keys)

Would be nice.

> I refrained because I figured that would give it even less chance of
> getting accepted.

Indeed..

> Additionally the patch implemented:
> 
> - A command in psql so you could see the parameters of the SSL
> connection
> - A method by which other client libraries (say JDBC) could use the
> authentication and encryption features of libpq, but implement the
> query protocol themselves.
> 
> > What basically bothers me about this is that trying to support both the
> > OpenSSL and GNUTLS APIs is going to be an enormous investment of
> > development and maintenance effort, because it's such a nontrivial thing
> > to use properly.  It sticks in my craw to be doing that work for no
> > technical reason, only a license-lawyering reason; and not even a
> > license issue that everyone is convinced is real.
> 
> As author of the patch, I'm slightly dismayed people are getting so
> hung up on the licence issue, when it was *not* the main motivation for
> writing it.

I hadn't intended (or expected) the reaction to the licesneing issue to
turn people off to GNUTLS support in general.  My intent was more along
the lines of "I figure you'll support it since it's good to have
options, but additionally it'd resolve an issue for Debian".  Though
perhaps that issue is all in Debian's collective head and not anywhere
else.  Sorry for that. :/

> And if there's features you want, put them on the todo list. I'm not
> sure about Bruce's comment about it being so hard to get the OpenSSL
> level of support we have, given PostgreSQL is not doing anything not
> described in the example code.

Agreed.

        Thanks,

                Stephen

Attachment: signature.asc
Description: Digital signature

Reply via email to