| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Supporting Windows SChannel as OpenSSL replacement |
| Date: | 2014-06-09 14:18:40 |
| Message-ID: | 27925.1402323520@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> writes:
> I've been looking at Windows' native SSL implementatation, the SChannel
> API. It would be nice to support that as a replacement for OpenSSL on
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
> installers, which is annoying because whenever OpenSSL puts out a new
> release that fixes vulnerabilities, we need to do a security release of
> PostgreSQL on Windows.
Does SChannel have a better security track record than OpenSSL? Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?
I'm doubtful that we can ignore security issues affecting PG just because
somebody else is responsible for shipping the fix, and thus am concerned
that if we support N different SSL libraries, we will need to keep track
of N sets of vulnerabilities instead of just one.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2014-06-09 14:19:34 | Re: Inaccuracy in VACUUM's tuple count estimates |
| Previous Message | Robert Haas | 2014-06-09 14:14:32 | Re: Inaccuracy in VACUUM's tuple count estimates |