> On 01 Sep 2017, at 20:00, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Fri, Sep 1, 2017 at 1:10 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Robert Haas <robertmhaas@gmail.com> writes:
>>> On Thu, Aug 31, 2017 at 1:52 PM, Andreas Karlsson <andreas@proxel.se> wrote:
>>>> I have seen discussions from time to time about OpenSSL and its licensing
>>>> issues so I decided to see how much work it would be to add support for
>>>> another TLS library, and I went with GnuTLS since it is the library I know
>>>> best after OpenSSL and it is also a reasonably popular library.
>>
>>> Thanks for working on this. I think it's good for PostgreSQL to have
>>> more options in this area.
>>
>> +1. We also have a patch in the queue to support macOS' TLS library,
>> and I suppose that's going to be facing similar issues. It would be
>> a good plan, probably, to try to push both of these to conclusion in
>> the same development cycle.
>
> The thing which I think would save the most aggravation - at least for
> my employer - is a Windows SSL implementation.
In 53EA546E.6020404@vmware.com, an early version of SChannel support was posted
by Heikki. If anyone is keen to pick up the effort that would most likely be a
good starting point.
> Relying on OpenSSL
> means that every time OpenSSL puts out a critical security fix, we've
> got to rewrap all the Windows installers to pick up the new version.
> If we were relying on what's built into Windows, it would be
> Microsoft's problem. Granted, it's not anybody's job to solve
> EnterpriseDB's problems except EnterpriseDB, but users might like it
> too -- and anyone else who is building Windows installers for
> PostgreSQL.
>
> Depending on macOS TLS instead of OpenSSL has similar advantages, of
> course, just for a somewhat less common platform.
I think providing alternatives to OpenSSL on platforms where OpenSSL can’t be
relied on to be already available (Windows and macOS come to mind) would be a
great thing for many users and app developers.
cheers ./daniel
