Re: [HACKERS] GnuTLS support

Re: Peter Eisentraut 2018-01-03 <99680dba-cf63-8151-1de2-46ca93897e56@2ndquadrant.com>
> One scenario is that if GnuTLS goes in, it's quite plausible that the
> PG11 packages for Debian and Ubuntu will use it by default.  But if it
> doesn't support tls-server-endpoint, then a JDBC client (assuming
> channel binding support is added) can't connect to such a server with
> SCRAM authentication over SSL (which we hope will be a popular
> configuration), unless they manually disable channel binding altogether
> using the new scramchannelbinding connection option.  That would be a
> very poor experience.

GnuTLS support would mean that Debian could finally link psql against
libreadline (instead of just LD_PRELOADing it at runtime) because
there's not OpenSSL license conflict anymore. But I'm only going to do
that switch if there's no visible incompatibilities for clients, and
even any server-side GUC name changes would need a damn good
justification because they make upgrades harder. The LD_PRELOAD hack
in psql works, there's no pressing urgency to remove it.

Christoph