Re: new libpq SSL connection option

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> I would also like to look this over completely - we only support loading
>> the KEY from the smartcard, but you still have to manually copy the
>> certificate to your machine. I don't know exactly how you're supposed to
>> do this in OpenSSL - some googling shows almost nobody else uses the
>> functions quite the way we do. So I'd like to look over if we need to do
>> more around this later, but this patch should make it possible to use
>> keys from different files without breaking backwards compatibility with
>> what we had before. So I'm considering that a separate step, that may
>> not be done in time for 8.4.
>
> I'm confused here. Are you proposing user-visible changes that might
> not get done in time for 8.4? I don't much like the idea that the API
> is going to remain a moving target --- once 8.4 is out you will have
> backwards compatibility constraints with whatever it does. It would
> be better to avoid extending the feature set beyond what 8.3 can do
> until you are certain it's right.

I'm not proposing anything yet - I haven't read up on it.

If it does change, though, only the engine-specific stuff would change
AFAICT. The new functionality in this patch is all around specifying
filenames, so that would not change.

And most likely it would not be a change in visible behavior if I get
the time to "fix" that - it'll either just be an under-the-hood change,
or more likely an extension to the parameters. I see no reason why it
should have any user-visible change at all on the stuff that's in this
patch.

//Magnus