Re: [HACKERS] GnuTLS support - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: [HACKERS] GnuTLS support
Date
Msg-id 8dff8808-27ba-59bb-cb1f-0ff3fe21b479@2ndquadrant.com
Whole thread Raw
In response to Re: [HACKERS] GnuTLS support  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: [HACKERS] GnuTLS support
List pgsql-hackers
On 1/17/18 14:05, Tom Lane wrote:
> Although these corner cases are starting to make me feel like changing
> my original vote.  Maybe we should forget the prefixes, in particular
> renaming gnutls_priorities to ssl_priorities, and just accept the need
> to document some parameters as only relevant to some implementations.

We could go the route of normalizing all implementation-specific
settings to some set of atomic concepts and create separate settings for
those, and then map them back to the actual APIs in code.

So we could take ssl_ciphers, ssl_prefer_server_ciphers, ssl_ecdh_curve
and assemble internally something that we can pass to
gnutls_priority_init().

But I think it would be more helpful in practice if the naming of the
implementation-specific settings match with something you can look up in
the documentation of that implementation.  "GnuTLS priority string" is
easy to look up and well documented.  If instead we chop it up into
something that is more like the OpenSSL settings, I think we are not
helping anyone.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] postgres_fdw bug in 9.6
Next
From: Peter Eisentraut
Date:
Subject: Re: [HACKERS] replace GrantObjectType with ObjectType