Re: [PATCH] Add support for GnuTLS - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: [PATCH] Add support for GnuTLS |
Date | |
Msg-id | 200605061711.k46HBQ715706@candle.pha.pa.us Whole thread Raw |
In response to | [PATCH] Add support for GnuTLS (Martijn van Oosterhout <kleptog@svana.org>) |
Responses |
Re: [PATCH] Add support for GnuTLS
|
List | pgsql-patches |
This is a pretty massive patch, but I understand the license concerns. Is this what we want to do? FYI, yesterday's SSL CRL additions need to be added to this patch. --------------------------------------------------------------------------- Martijn van Oosterhout wrote: -- Start of PGP signed section. > This patch does the following: > > - Provide GnuTLS support beside OpenSSL in both the frontend and > backend. Which is used is decided by the configure options > --with-openssl and --with-gnutls. They are mutually exclusive. > > - When psql starts up the message has been altered to include details > about the library. For example either of: > > SSL connection established: GnuTLS (version 1.0.16), encryption DHE_RSA_AES_256_CBC_SHA > SSL connection established: OpenSSL (version OpenSSL 0.9.7e 25 Oct 2004), encryption DHE-RSA-AES256-SHA > > - psql is now SSL library agnostic. It can display the above info > whether or not the SSL library was available at compile time. All > that matters is what the libpq library was compiled against. > > - Provides a new function in libpq called PQgettlsinfo(). This returns > a resultset containing the most useful details of the SSL connection, > if any. > > - A new command has been added to psql, \ssl, which displays all the > information available via PQgettlsinfo(). > > - Provides a new function in libpq called PQsetPassthrough(). Once this > function has been called on an idle connection, its state changes to > CONNECTION_PASSTHROUGH. The usual query functions PQsend*, PQexec*, > PQconsumeinput and others are blocked. All further communication must > be by the user via the send/receive functions given. The only way to > undo this is via PQreset or PQfinish. > > Backward compatability issues: > > - Applications using libpq to establish the connection and then > reading/writing the socket directly may have unexpected results if > the client is compiled against GnuTLS. The prior versions of libpq > provided no way of identifying the SSL library is use. However, they > will *not* crash. > > These applications have two options. They can use the new > PQgettlsinfo() to determine which library libpq is using. They can > then elect to disable SSL support via the sslmode option to avoid the > issue. Alternately, they can use the new PQsetPassthough() function > to retreive the necessary information to communicate directly. > > In the latter case, the application does not need to check the > library in use, libpq will work transparently for all possibilities. > > Documentation will be provided assuming the above is considered > satisfactory for inclusion without major changes. > > The attached diff does not include the diff of "configure" because I'm > evidently running a different version and result was 200KB of useless > stuff. The full patch is available here: > > http://svana.org/kleptog/temp/gnutls.patch > > Just running autoconf on the local machine should also work. > > Have a nice day, > -- > Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > > From each according to his ability. To each according to his ability to litigate. [ Attachment, skipping... ] -- End of PGP section, PGP failed! -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
pgsql-patches by date: