On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote: > Bruce Momjian <[EMAIL PROTECTED]> writes: > > Keep in mind it took years to get OpenSSL support up to the level we > > have it now. It took SSL experts coming in and out of our development > > process to get it 100% feature-complete. > > Actually, it's *not* feature-complete even yet.
What's missing? I don't see anything on the TODO list relating to this. If you wanted a GnuTLS patch that supported more features than the OpenSSL one, you should have said so. Personally I would have added: - authentication using PGP keys - anonymous DH (ie doing encryption, without authentication or shared keys) I refrained because I figured that would give it even less chance of getting accepted. Additionally the patch implemented: - A command in psql so you could see the parameters of the SSL connection - A method by which other client libraries (say JDBC) could use the authentication and encryption features of libpq, but implement the query protocol themselves. > What basically bothers me about this is that trying to support both the > OpenSSL and GNUTLS APIs is going to be an enormous investment of > development and maintenance effort, because it's such a nontrivial thing > to use properly. It sticks in my craw to be doing that work for no > technical reason, only a license-lawyering reason; and not even a > license issue that everyone is convinced is real. As author of the patch, I'm slightly dismayed people are getting so hung up on the licence issue, when it was *not* the main motivation for writing it. And if there's features you want, put them on the todo list. I'm not sure about Bruce's comment about it being so hard to get the OpenSSL level of support we have, given PostgreSQL is not doing anything not described in the example code. Have a nice day, -- Martijn van Oosterhout <firstname.lastname@example.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to > litigate.
Description: Digital signature