Re: [HACKERS] GnuTLS support - Mailing list pgsql-hackers

From Christoph Berg
Subject Re: [HACKERS] GnuTLS support
Date
Msg-id 20180201100839.GB335@msg.df7cb.de
Whole thread Raw
In response to Re: [HACKERS] GnuTLS support  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Responses Re: [HACKERS] GnuTLS support
List pgsql-hackers
Re: Peter Eisentraut 2018-01-03 <99680dba-cf63-8151-1de2-46ca93897e56@2ndquadrant.com>
> One scenario is that if GnuTLS goes in, it's quite plausible that the
> PG11 packages for Debian and Ubuntu will use it by default.  But if it
> doesn't support tls-server-endpoint, then a JDBC client (assuming
> channel binding support is added) can't connect to such a server with
> SCRAM authentication over SSL (which we hope will be a popular
> configuration), unless they manually disable channel binding altogether
> using the new scramchannelbinding connection option.  That would be a
> very poor experience.

GnuTLS support would mean that Debian could finally link psql against
libreadline (instead of just LD_PRELOADing it at runtime) because
there's not OpenSSL license conflict anymore. But I'm only going to do
that switch if there's no visible incompatibilities for clients, and
even any server-side GUC name changes would need a damn good
justification because they make upgrades harder. The LD_PRELOAD hack
in psql works, there's no pressing urgency to remove it.

Christoph


pgsql-hackers by date:

Previous
From: Amit Langote
Date:
Subject: Re: no partition pruning when partitioning using array type
Next
From: Konstantin Knizhnik
Date:
Subject: Re: Built-in connection pooling