On 1/2/18 10:35, Peter Eisentraut wrote: > On 11/26/17 20:05, Andreas Karlsson wrote: >> I have now implemented this in the attached patch (plus added support >> for channel binding and rebased it) but I ran into one issue which I >> have not yet solved. The script for the windows version takes the >> --with-openssl=<path> switch so that cannot just be translated to a >> single --with-ssl switch. Should to have both --with-openssl and >> --with-gnutls or --with-ssl=(openssl|gnutls) and --with-ssl-path=<path>? >> I also do not know the Windows build code very well (or really at all). > > This patch appears to work well.
Seeing that Andres is apparently currently not available, I have started to dig through this patch myself and made some adjustments. Question for the group: We currently have a number of config settings named ssl_*. Some of these are specific to OpenSSL, some are not, namely: # general ssl ssl_dh_params_file ssl_cert_file ssl_key_file ssl_ca_file ssl_crl_file # OpenSSL ssl_ciphers ssl_prefer_server_ciphers ssl_ecdh_curve # GnuTLS (proposed) gnutls_priorities (effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers) Should we rename the OpenSSL-specific settings to openssl_*? It think it would be better for clarity, and they are not set very commonly, so the user impact would be low. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
