Re: [HACKERS] GnuTLS support

On 11/26/17 20:05, Andreas Karlsson wrote:
> I have now implemented this in the attached patch (plus added support
> for channel binding and rebased it) but I ran into one issue which I
> have not yet solved. The script for the windows version takes the
> --with-openssl=<path> switch so that cannot just be translated to a
> single --with-ssl switch. Should to have both --with-openssl and
> --with-gnutls or --with-ssl=(openssl|gnutls) and --with-ssl-path=<path>?
> I also do not know the Windows build code very well (or really at all).

This patch appears to work well.

As I had mentioned previously, I'm not fond of changing the existing
configure flags, and given the above issue, I'd just leave everything as
is and add --with-gnutls.

The patch contains a purported GUC variable gnutls_priority, but it is
not documented or used anywhere.

There are some test cases that are marked to be skipped. We should
document why that is.

I see a potential problem with the SCRAM channel binding support.
GnuTLS will not support tls-server-endpoint, so we'll need to check what
happens when a client requests that. (That's not the problem of this
patch, however.)

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services