Re: [HACKERS] GnuTLS support

From: Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>
To: Andreas Karlsson <andreas(at)proxel(dot)se>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] GnuTLS support
Date: 2017-11-20 00:42:16
Message-ID: 30eb806b-109f-c642-b2b5-b20f6f76403d@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

On 11/02/2017 11:33 PM, Andreas Karlsson wrote:
> On 09/18/2017 07:04 PM, Jeff Janes wrote:> You fixed the first issue,
> but I still get the second one:
>>
>> be-secure-gnutls.c: In function 'get_peer_certificate':
>> be-secure-gnutls.c:667: error: 'GNUTLS_X509_CRT_LIST_SORT' undeclared
>> (first use in this function)
>> be-secure-gnutls.c:667: error: (Each undeclared identifier is reported
>> only once
>> be-secure-gnutls.c:667: error: for each function it appears in.)
>
> Thanks again for testing the code. I have now rebased the patch and
> fixed the second issue. I tested that it works on CentOS 6.
>
> Work which remains:
>
> - sslinfo
> - pgcrypto
> - Documentation
> - Decide if what I did with the config is a good idea
>

I don't want to be the annoying guy, but this patch no longer applies
due to 642bafa0c5f9f08d106a14f31429e0e0c718b603 touching the tests :-(

BTW regarding the config, I believe you've kept is static (no hiding of
sections based on configure parameters), and you've separated the
openssl and gnutls options, right? Seems fine to me. The one thing is
that it was proposed to rename the openssl-specific options to start
with openssl_ instead of ssl_.

One question though. What happens when you do

./configure --with-openssl --with-gnutls

If I get it right we ignore gnutls and use openssl (as it's the first
checked in #ifdefs). Shouldn't we enforce in configure that only one TLS
implementation is enabled? Either by some elaborate check, or by
switching to something like

--with-ssl=(openssl|gnutls)

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Badrul Chowdhury 2017-11-20 00:49:21 RE: [HACKERS] Re: protocol version negotiation (Re: Libpq PGRES_COPY_BOTH - version compatibility)
Previous Message Tsunakawa, Takayuki 2017-11-20 00:12:50 RE: Speed up the removal of WAL files