Re: [HACKERS] GnuTLS support - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: [HACKERS] GnuTLS support
Date
Msg-id E6E5596E-E891-41C7-8BCA-97D3C90A6352@yesql.se
Whole thread Raw
In response to Re: [HACKERS] GnuTLS support  (Robert Haas <robertmhaas@gmail.com>)
List pgsql-hackers
> On 01 Sep 2017, at 20:00, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Fri, Sep 1, 2017 at 1:10 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Robert Haas <robertmhaas@gmail.com> writes:
>>> On Thu, Aug 31, 2017 at 1:52 PM, Andreas Karlsson <andreas@proxel.se> wrote:
>>>> I have seen discussions from time to time about OpenSSL and its licensing
>>>> issues so I decided to see how much work it would be to add support for
>>>> another TLS library, and  I went with GnuTLS since it is the library I know
>>>> best after OpenSSL and it is also a reasonably popular library.
>>
>>> Thanks for working on this.  I think it's good for PostgreSQL to have
>>> more options in this area.
>>
>> +1.  We also have a patch in the queue to support macOS' TLS library,
>> and I suppose that's going to be facing similar issues.  It would be
>> a good plan, probably, to try to push both of these to conclusion in
>> the same development cycle.
>
> The thing which I think would save the most aggravation - at least for
> my employer - is a Windows SSL implementation.

In 53EA546E.6020404@vmware.com, an early version of SChannel support was posted
by Heikki.  If anyone is keen to pick up the effort that would most likely be a
good starting point.

> Relying on OpenSSL
> means that every time OpenSSL puts out a critical security fix, we've
> got to rewrap all the Windows installers to pick up the new version.
> If we were relying on what's built into Windows, it would be
> Microsoft's problem.  Granted, it's not anybody's job to solve
> EnterpriseDB's problems except EnterpriseDB, but users might like it
> too -- and anyone else who is building Windows installers for
> PostgreSQL.
>
> Depending on macOS TLS instead of OpenSSL has similar advantages, of
> course, just for a somewhat less common platform.

I think providing alternatives to OpenSSL on platforms where OpenSSL can’t be
relied on to be already available (Windows and macOS come to mind) would be a
great thing for many users and app developers.

cheers ./daniel


pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] Rename RECOVERYXLOG to RECOVERYWAL?
Next
From: Tom Lane
Date:
Subject: Re: [HACKERS] Missing SIZE_MAX