Re: Support for NSS as a libpq TLS backend

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Andres Freund <andres@anarazel.de>
Cc: Robert Haas <robertmhaas@gmail.com>, Julien Rouhaud <rjuju123@gmail.com>, Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "michael@paquier.xyz" <michael@paquier.xyz>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2022-01-31T21:51:19Z
Lists: pgsql-hackers
> On 31 Jan 2022, at 22:32, Andres Freund <andres@anarazel.de> wrote:
> 
> Hi,
> 
> On 2022-01-31 14:24:03 +0100, Daniel Gustafsson wrote:
>>> On 28 Jan 2022, at 15:30, Robert Haas <robertmhaas@gmail.com> wrote:
>>> I would really, really like to have an alternative to OpenSSL for PG.
>>> I don't know if this is the right thing, though. If other people are
>>> dropping support for it, that's a pretty bad sign IMHO. Later in the
>>> thread it says OpenLDAP have dropped support for it already as well.
>> 
>> I'm counting this and Andres' comment as a -1 on the patchset, and given where
>> we are in the cycle I'm mark it rejected in the CF app shortly unless anyone
>> objects.
> 
> I'd make mine more a -0.2 or so. I'm concerned about the lack of non-code
> documentation and the state of code documentation. I'd like an openssl
> alternative, although not as much as a few years ago - it seems that the state
> of openssl has improved compared to most of the other implementations.

IMHO I think OpenSSL has improved over OpenSSL of the past - which is great to
see - but they have also diverged themselves into writing a full QUIC
implementation which *I personally think* is a distraction they don't need.

That being said, there aren't too many other options.

--
Daniel Gustafsson		https://vmware.com/




Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics