A successor for PQgetssl

There was some discussion about the issues relating to using other SSL
libraries. In a nutshell, it came down to that we couldn't return
anything other than an OpenSSL pointer from PQgetssl because existing
programs simply wouldn't know what to do with it.

So, I was pondering what we might want from an alternative. What I've
come up with is the following:

PGresult *PQgettlsinfo(PGconn *conn);

What it does instead of returning a single pointer is return a PGresult
that has various info depending on the library involved. For example,
if you connected using a libpq compiled with GnuTLS it would contain
the following:
        key         |                 value
---------------------+---------------------------------------tls_library         | GnuTLStls_library_version |
1.0.16tls_sslmode        | prefertls_active          | yestls_verify_server   | yestls_peerdn          |
C=AU,ST=NSW,L=Sydney,O=Home,CN=Myselftls_peercn         | Myselftls_protocol        | TLS 1.0tls_cipher          | AES
256CBCtls_keysize         | 256 bitstls_kx              | DHE RSAtls_mac             | SHAtls_compression     |
NULLtls_certtype       | X.509 
(14 rows)

And when you connected with OpenSSL you would get something like:
        key         |                 value
---------------------+----------------------------------------tls_library         | OpenSSLtls_library_version |
OpenSSL0.9.7e 25 Oct 2004tls_sslmode         | prefertls_active          | yestls_peerdn          |
/C=AU/ST=NSW/L=Sydney/O=Home/CN=Myselftls_peercn         | Myselftls_cipher          | DHE-RSA-AES256-SHAtls_protocol
    | TLSv1/SSLv3tls_keysize         | 256 bits 
(9 rows)

Now, other than for the first time giving users access to the
information like peer DN and CN, it also provides some other
information they might want. And it's done in a way that's extensible.

Do people like this idea?

Note, I don't return a pointer to the GnuTLS session anywhere. I think
that's a bad idea all round and we need to provide another way for
programs to acheive the same effect.

The thing is, it could be extended to include almost anything. One
example would be if the user authenticated using kerberos, we could add
a few rows indicating that. I suppose you would call it
PQgetconninfo().

Thoughts?

*** PostgreSQL with GnuTLS

I've got it almost completely working and have tested interoperability.
You can find it here:

http://svana.org/kleptog/temp/gnutls.patch

The patch does the following:

- Adds configure stuff for gnutls so it checks for the libraries when
you specify --with-gnutls. You may need to run autoconf and autoheader
after patching.

- Both fe-secure.c and be-secure.c have been made TLS library agnostic.
They only refer to functions that implement TLS specific stuff which
are implemented in the files:

src/interfaces/libpq/fe-secure-openssl.c
src/interfaces/libpq/fe-secure-gnutls.c
src/backend/libpq/be-secure-openssl.c
src/backend/libpq/be-secure-gnutls.c

The makefile determines which (if either) is linked in.

- Implements the PQgettlsinfo() as described above and alters psql to
use it. Hence psql is now also TLS library agnostic.

Differences between the two implementations are:

- GnuTLS generates the DH key on the fly on server start, which takes a
few seconds. The OpenSSL versions use hardcoded keys which can be
overridden by the user. Not sure which is best here.

- This breaks psqlODBC when it uses libpq because it wants to use OpenSSL
and when libpq is compiled with GnuTLS that obviously won't work.
Recent thread on -hackers found no resolution for this problem.

- Both support authentication of the server and authentication of the
client, though more testing is need to test all the different
combinations of keys and certificates that are allowed.

- Different output for PQgettlsinfo()

That about it. There's no real difference from the users point of view,
it Just Works either way. In the future we may be able to use the PGP
support in GnuTLS. In other words, provide the server with a pgp
keyring and it accepts any user which a matching key in the keyring.

I hope to post of -patches sometime soon, once some of the kinks have
been ironed out.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.