Re: [HACKERS] GnuTLS support

Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> Question for the group:  We currently have a number of config settings
> named ssl_*.  Some of these are specific to OpenSSL, some are not, namely:

> # general
> ssl
> ssl_dh_params_file
> ssl_cert_file
> ssl_key_file
> ssl_ca_file
> ssl_crl_file

> # OpenSSL
> ssl_ciphers
> ssl_prefer_server_ciphers
> ssl_ecdh_curve

> # GnuTLS (proposed)
> gnutls_priorities
> (effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers)

> Should we rename the OpenSSL-specific settings to openssl_*?

> It think it would be better for clarity, and they are not set very
> commonly, so the user impact would be low.

Yeah, I think only the "general" parameters would be set by very
many people.  +1 for renaming the OpenSSL-only parameters.

I don't know too much about the internals here, so looking at your
list, I wonder whether "ssl_dh_params_file" ought to be treated as
implementation-specific too.  The other four files seem essential
to any feature-complete implementation, but is that one?

            regards, tom lane