Re: [PATCH] Remove useless DH param code on client side

Patch applied.  Thanks.

---------------------------------------------------------------------------


Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> In the SSL code in libpq it does some processing with DH parameters:
>
> SSL_CTX_set_tmp_dh_callback()
>
> This function is marked as server use only[1], the client always uses
> the DH parameters in the server, so all the code in the client dealing
> with the DH parameters is useless. This patch removes it.
>
> It's not clear why the code was added in the first place, it's been
> there almost since the beginning[2]. At the time there was a suggestion
> of merging the front-end and backend SSL code, but looking at the
> changes since, that seems unlikely.
>
> As a further example, the s_server program allows you to specify DH
> params, but s_client doesn't. In the GnuTLS documentation under
> gnutls_dh_params_generate2() it says[3]:
>
>   Also note that the DH parameters are only useful to servers. Since
>   clients use the parameters sent by the server, it's of no use to call
>   this in client side.
>
> Have a nice day,
>
> [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
> [2] http://developer.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c#rev1.2
> [3] http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-dh-params-generate2
> --
> Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> > tool for doing 5% of the work and then sitting around waiting for someone
> > else to do the other 95% so you can sue them.

[ Attachment, skipping... ]
-- End of PGP section, PGP failed!

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +