Re: [HACKERS] GnuTLS support

On 1/28/18 23:43, Michael Paquier wrote:
> The comment at the top of PQinitSSL mentions OpenSSL, you may want to
> get rid of it as well.

I think that whole business is actually obsolete as of OpenSSL 1.1.0 and
not applicable to GnuTLS, so we might just leave it to die with some
appropriate documentation updates.

> To be honest, I find this refactoring confusing. As things stand on
> HEAD, fe-secure.c depends on the contents of fe-secure-openssl.c, and
> the dependency goes only in one direction.  With your patch, you also
> make fe-secure-openssl.c call things within fe-secure.c.  It seems to me
> that a cleaner split would be to introduce a common file for all the
> low-level routines like the two ones you are introducing here, say
> fe-secure-common.c. aND pq_verify_peer_name_matches_certificate_name and
> pq_verify_peer_name_matches_certificate should be moved to that.

I like that.  Updated patch attached.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services