Re: Fwd: [PATCHES] Preliminary GSSAPI Patches

Tom,

> And even more curious to see you defend that offhanded bashing of
> OpenSSL, a tool a whole lot of people (including me) depend on all day
> every day. If Postgres had the market penetration of OpenSSL, our lives
> would be a lot different.  Have you got even a shred of evidence that
> GSSAPI is more stable than OpenSSL?

Short answer:
Existing Kerberos libs with GSSAPI may have the same issues; I don't know.  
What I was speaking in favor of was having several encryption mechanisms 
available so that at least one of them would be available on the user's 
system at installation time.  For that matter, I think we should support 
Gnu-TLS if someone offers us a patch.

Long Answer:
I've been dealing with OpenSSL binary incompatibility issues for the last 
few Solaris builds and it's made me very unhappy with the 
upgrade/versioning/linking of OpenSSL, and explained a lot of issues I've 
had around using OpenSSL with PostgreSQL and Apache previously.  That is, 
0.9.8 isn't always backwards compatible to 0.9.7 or 0.9.6, making 
applications built against one version of OpenSSL not necessarily portable 
or easily upgraded, and causing a lot of installation-related pain.

(yes, I know this describes PostgreSQL as well.  People complain about it 
all the time to us, and they're right)

When you combine that with the platform providers (like Novell, Sun and RH) 
treating OpenSSL as if there were no upgrade issues (even though there 
are), or being version-specific but not providing packages for other 
versions, you end up with a situation where a lot of users can't actually 
use OpenSSL on their system without ripping out a bunch of libraries and 
replacing them with compatible versions.  I've had this issue on SuSE, 
Solaris, and OSX at different times.

The OpenSSL team appears to be is very aware of these issues, which is why 
Richard Levitte started the OpenTLS project (www.opentls.org) as a 
successor to OpenSSL, where the issues are apparently insoluable 
9http://marc.info/?l=openssl-dev&m=113042556401979&w=2).  OpenSSL has also 
added a stronger EVP_API and some versioning of symbols in the most recent 
release, but that won't help most of our users for a while until 0.9.6 and 
0.9.7 dissapear from userspace.

Also, last I checked OpenSSL didn't ship with Windows and Kerberos 
encryption did.

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco