Re: [PATCH] Add support for GnuTLS - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [PATCH] Add support for GnuTLS
Date
Msg-id 200605061711.k46HBQ715706@candle.pha.pa.us
Whole thread Raw
In response to [PATCH] Add support for GnuTLS  (Martijn van Oosterhout <kleptog@svana.org>)
Responses Re: [PATCH] Add support for GnuTLS  (Martijn van Oosterhout <kleptog@svana.org>)
List pgsql-patches
This is a pretty massive patch, but I understand the license concerns.
Is this what we want to do?

FYI, yesterday's SSL CRL additions need to be added to this patch.

---------------------------------------------------------------------------

Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> This patch does the following:
>
> - Provide GnuTLS support beside OpenSSL in both the frontend and
>   backend. Which is used is decided by the configure options
>   --with-openssl and --with-gnutls. They are mutually exclusive.
>
> - When psql starts up the message has been altered to include details
>   about the library. For example either of:
>
> SSL connection established: GnuTLS (version 1.0.16), encryption DHE_RSA_AES_256_CBC_SHA
> SSL connection established: OpenSSL (version OpenSSL 0.9.7e 25 Oct 2004), encryption DHE-RSA-AES256-SHA
>
> - psql is now SSL library agnostic. It can display the above info
>   whether or not the SSL library was available at compile time. All
>   that matters is what the libpq library was compiled against.
>
> - Provides a new function in libpq called PQgettlsinfo(). This returns
>   a resultset containing the most useful details of the SSL connection,
>   if any.
>
> - A new command has been added to psql, \ssl, which displays all the
>   information available via PQgettlsinfo().
>
> - Provides a new function in libpq called PQsetPassthrough(). Once this
>   function has been called on an idle connection, its state changes to
>   CONNECTION_PASSTHROUGH. The usual query functions PQsend*, PQexec*,
>   PQconsumeinput and others are blocked. All further communication must
>   be by the user via the send/receive functions given. The only way to
>   undo this is via PQreset or PQfinish.
>
> Backward compatability issues:
>
> - Applications using libpq to establish the connection and then
>   reading/writing the socket directly may have unexpected results if
>   the client is compiled against GnuTLS. The prior versions of libpq
>   provided no way of identifying the SSL library is use. However, they
>   will *not* crash.
>
>   These applications have two options. They can use the new
>   PQgettlsinfo() to determine which library libpq is using. They can
>   then elect to disable SSL support via the sslmode option to avoid the
>   issue.  Alternately, they can use the new PQsetPassthough() function
>   to retreive the necessary information to communicate directly.
>
>   In the latter case, the application does not need to check the
>   library in use, libpq will work transparently for all possibilities.
>
> Documentation will be provided assuming the above is considered
> satisfactory for inclusion without major changes.
>
> The attached diff does not include the diff of "configure" because I'm
> evidently running a different version and result was 200KB of useless
> stuff. The full patch is available here:
>
> http://svana.org/kleptog/temp/gnutls.patch
>
> Just running autoconf on the local machine should also work.
>
> Have a nice day,
> --
> Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> > From each according to his ability. To each according to his ability to litigate.

[ Attachment, skipping... ]
-- End of PGP section, PGP failed!

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: [COMMITTERS] pgsql: Add SSL CRL support to libpq.
Next
From: Bruce Momjian
Date:
Subject: Re: plpython improvements