Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Michael Paquier <michael(at)paquier(dot)xyz>
Cc: Jacob Champion <pchampion(at)vmware(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2021-01-28 23:20:21
Message-ID: 51C8D20D-41D2-46EE-84BE-A672584C64E8@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 28 Jan 2021, at 07:06, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> On Wed, Jan 27, 2021 at 06:47:17PM +0000, Jacob Champion wrote:

>> Since SSL is an obsolete term, and the choice of OpenSSL vs NSS vs
>> [nothing] affects server operation (such as cryptohash) regardless of
>> whether or not connection-level TLS is actually used, what would you
>> all think about naming this option --with-crypto? I.e.
>>
>> --with-crypto=openssl
>> --with-crypto=nss
>
> Looking around, curl has multiple switches for each lib with one named
> --with-ssl for OpenSSL, but it needs to be able to use multiple
> libraries at run time.

To be fair, if we started over in curl I would push back on --with-ssl meaning
OpenSSL but that ship has long since sailed.

> I can spot that libssh2 uses what you are
> proposing. It seems to me that --with-ssl is a bit more popular but
> not by that much: wget, wayland, some apache stuff (it uses a path as
> option value). Anyway, what you are suggesting sounds like a good in
> the context of Postgres. Daniel?

SSL is admittedly an obsolete technical term, but it's one that enough people
have decided is interchangeable with TLS that it's not a hill worth dying on
IMHO. Since postgres won't allow for using libnss or OpenSSL for cryptohash
*without* compiling SSL/TLS support (used or not), I think --with-ssl=LIB is
more descriptive and less confusing.

--
Daniel Gustafsson https://vmware.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2021-01-29 00:02:19 Re: Jsonpath ** vs lax mode
Previous Message Daniel Gustafsson 2021-01-28 23:12:54 Re: Online checksums patch - once again