Heikki Linnakangas <hlinnakangas@vmware.com> writes:
> I've been looking at Windows' native SSL implementatation, the SChannel
> API. It would be nice to support that as a replacement for OpenSSL on
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
> installers, which is annoying because whenever OpenSSL puts out a new
> release that fixes vulnerabilities, we need to do a security release of
> PostgreSQL on Windows.
Does SChannel have a better security track record than OpenSSL? Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?
I'm doubtful that we can ignore security issues affecting PG just because
somebody else is responsible for shipping the fix, and thus am concerned
that if we support N different SSL libraries, we will need to keep track
of N sets of vulnerabilities instead of just one.
regards, tom lane