On Fri, Feb 11, 2011 at 02:09:09PM -0500, Greg Smith wrote: > Note that the past discussion was on the difficulty of matching the > existing OpenSSL API using GnuTLS, which is apparently difficult to do. > I wasn't trying to suggest there were issues specificially with GnuTLS's > code quality. It's more that the APIs are just different enough that > it's not trivial to do a swap--which is surprising given how many people > have seemingly needed to do exactly this conversion. You'd think > there'd be a simple "OpenSSL-like" interface available for GnuTLS by now > or something.
I spent some time a while back making PostgreSQL work with GnuTLS. The actual SSL bit is trivial. The GnuTLS interface actually made sense whereas the OpenSSL one is opaque (at least, I've never seen any structure in it). The GnuTLS interface was designed in the modern era and it shows. The problems are primarily that psql exposes in various ways that it uses OpenSSL and does it in ways that are hard to support backward compatably. So for GnuTLS support you need to handle all those bits too. For example, the patch as presented introduced a passthrough mode that allowed applications to read/write over the SSL connection without actually knowing the underlying library. It had to fix psql to use this info. It had to provide ways for applications to determine the info they needed about the SSL, since it wouldn't beable to just grab the OpenSSL handle. All this made the patch large, which caused it to be rejected. I found that odd since the bulk of the patch was the renaming of two files, which makes for huge diffs while the changes where minimal. I beleive git is smarter about renames which means the diff may magically become much smaller just by using git, yay! Supporting GnuTLS for that backend was just icing, but trivial once the frontend was done. It can be left out. Have a nice day, -- Martijn van Oosterhout <klep...@svana.org> http://svana.org/kleptog/ > Patriotism is when love of your own people comes first; nationalism, > when hate for people other than your own comes first. > - Charles de Gaulle
signature.asc
Description: Digital signature
