Re: Supporting Windows SChannel as OpenSSL replacement

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Heikki Linnakangas <hlinnakangas@vmware.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-06-09T14:18:40Z
Lists: pgsql-hackers
Heikki Linnakangas <hlinnakangas@vmware.com> writes:
> I've been looking at Windows' native SSL implementatation, the SChannel 
> API. It would be nice to support that as a replacement for OpenSSL on 
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, 
> installers, which is annoying because whenever OpenSSL puts out a new 
> release that fixes vulnerabilities, we need to do a security release of 
> PostgreSQL on Windows.

Does SChannel have a better security track record than OpenSSL?  Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?

I'm doubtful that we can ignore security issues affecting PG just because
somebody else is responsible for shipping the fix, and thus am concerned
that if we support N different SSL libraries, we will need to keep track
of N sets of vulnerabilities instead of just one.

			regards, tom lane