Re: PQgetssl() and alternative SSL implementations

On 2014-08-19 10:48:41 -0400, Stephen Frost wrote:
> > Exposing the SSL information as generic key/value pairs allows
> > adding more attributes in the future, without breaking the ABI, and
> > it also allows exposing implementation-specific information in a
> > generic way. The attributes listed above cover the needs of psql.
> > What else do we need?
>
> At first blush, I'd say a whole bunch.. Off the top of my head I can
> think of:
>
> For all certificates:
> (client, server, cert that signed each, any intermediate CAs, root CAs)
> Certificate itself (perhaps in DER, PEM, X509 formats..)
> Fingerprint
> Signed-By info
> Common Name
> Organization (et al)
> Alternate names
> Issue date, expiration date
> CRL info, OCSP info
> Allowed usage (encryption, signing, etc)
>
> CRL checking done?
> OCSP used?

I'm not really sure we need all that. We're not building a general ssl
library abstraction here. Presenting all those in a common and useful
format isn't trivial.

What I'm wondering is whether we should differentiate 'standard'
attributes that we require from ones that a library can supply
optionally. If we don't we'll have difficulty enlarging the 'standard'
set over time.

Greetings,

Andres Freund

--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services