Another uberpatch for the SSL code.
The main improvements over the last revision include:
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Remaining issues are:
*) select() in legacy code?
*) encrypted private keys
*) session support (useful if auto-reconnection will be supported)
*) anonymous DH
*) fully implemented cert tools
Bear
