Re: Supporting Windows SChannel as OpenSSL replacement

Andres Freund <andres@2ndquadrant.com>

From: Andres Freund <andres@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Heikki Linnakangas <hlinnakangas@vmware.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-06-09T14:22:21Z
Lists: pgsql-hackers
Hi,

On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
> Does SChannel have a better security track record than OpenSSL?  Or is
> the point here just that we can define it as not our problem when a
> vulnerability surfaces?

Well, it's patched as part of the OS - so no new PG binaries have to be
released when it's buggy.

> I'm doubtful that we can ignore security issues affecting PG just because
> somebody else is responsible for shipping the fix, and thus am concerned
> that if we support N different SSL libraries, we will need to keep track
> of N sets of vulnerabilities instead of just one.

In most of the cases where such a issue exists it'll primarily affect
binary distributions that include the ssl library - and those will only
pick one anyway.

Greetings,

Andres Freund

-- 
 Andres Freund	                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services