Re: BUG #4869: No proper initialization of OpenSSL-Engine in libpq

Am Montag, 22. Juni 2009 16:38:32 schrieben Sie:
> Tom Lane wrote:
> > Magnus Hagander <magnus@hagander.net> writes:
> >> A question from that then, for others, is it Ok to add a field to the
> >> PGconn structure during RC? :-) It's only in libpq-int.h, but? Comment=
s?
> >
> > Changing PGconn internals doesn't bother me, but ...
> >
> > IIUC this is a pre-existing bug/limitation in an extremely seldom-used
> > feature that we don't have any very good way to test.  So I'm not really
> > excited about trying to fix it in RC at all.  The chances of breaking
> > something seem much higher than the usefulness of the fix would warrant.
> >
> > I'd suggest holding the matter until 8.5 development opens.
>
> I think we'll see this feature used a lot more now, since we support
> client certificate authentication. I bet that's the reason why Lars is
> using it now, but wasn't using it before. Correct, Lars?
That's right. Because clientside crypto engines and proper certificate=20
authentication is supported now, I would like to use a strong smartcard-bas=
ed=20
login in our high security environment.

> That would be the argument for doing it now. We previously supported
> engines for client certificates, but using client certificates at all
> wasn't very useful in pre-8.4, and that's why it wasn't used almost at
> all. While I don't expect a huge number of users of it in 8.4, I think
> it is a *much* more useful feature now, and thus will be used a lot more.

I could live with the patch during 8.4 cycle. But if we support crypto engi=
nes=20
now, we may do it the way that it really works.

regards
Lars