Re: TODO: GNU TLS

From: David Boreham <david_list(at)boreham(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, mark(at)mark(dot)mielke(dot)cc, Stephen Frost <sfrost(at)snowman(dot)net>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Mark Kirkwood <markir(at)paradise(dot)net(dot)nz>
Subject: Re: TODO: GNU TLS
Date: 2006-12-31 02:54:34
Message-ID: 4597266A.9080106@boreham.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:

>What basically bothers me about this is that trying to support both the
>OpenSSL and GNUTLS APIs is going to be an enormous investment of
>development and maintenance effort, because it's such a nontrivial thing
>
>
Fascinating thread for the holidays. I found it interesting that nobody
has mentioned
NSS (former Netscape SSL library). It has its own bag of problems of
course, but
for me is potentially more attractive than GNU TLS. e.g. it has FIPS-140
certification
and is actively under development by a software company with significant
resources.
It's also very widely deployed. I'm not saying that OpenSSL is bad (it'd
probably be my
first choice), just that there is another option besides GNU TLS.

BTW, if I may throw more gas on the licence debate flames -- the
OpenLDAP client library
depends on OpenSSL, and almost everything depends on OpenLDAP (e.g. PAM,
SASL,
any LDAP-enabled app). In 2003 Steven Frost submitted patches to the OL
code to
add GNU TLS support, but as far as I can tell that code is still not in
the current OpenLDAP
tree. Perhaps Steven could tell us what happened to that effort.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2006-12-31 03:14:19 Re: TODO: GNU TLS
Previous Message Bruce Momjian 2006-12-31 02:02:36 Re: TODO: GNU TLS