Re: Supporting Windows SChannel as OpenSSL replacement
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Heikki Linnakangas <hlinnakangas@vmware.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-06-09T14:18:40Z
Lists: pgsql-hackers
Heikki Linnakangas <hlinnakangas@vmware.com> writes: > I've been looking at Windows' native SSL implementatation, the SChannel > API. It would be nice to support that as a replacement for OpenSSL on > Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, > installers, which is annoying because whenever OpenSSL puts out a new > release that fixes vulnerabilities, we need to do a security release of > PostgreSQL on Windows. Does SChannel have a better security track record than OpenSSL? Or is the point here just that we can define it as not our problem when a vulnerability surfaces? I'm doubtful that we can ignore security issues affecting PG just because somebody else is responsible for shipping the fix, and thus am concerned that if we support N different SSL libraries, we will need to keep track of N sets of vulnerabilities instead of just one. regards, tom lane