Re: [HACKERS] Channel binding support for SCRAM-SHA-256

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Sat, May 27, 2017 at 5:59 PM, Álvaro Hernández Tortosa
> <aht(at)8kdata(dot)com> wrote:
>> - tls-unique, as you mentioned, uses two undocumented APIs. This raises a
>> small flag about the stability and future of those APIs.

> It seems to me that the question is not just whether those APIs will
> be available in future versions of OpenSSL, but whether they will be
> available in every current and future version of every SSL
> implementation that we may wish to use in core or that any client may
> wish to use. We've talked before about being able to use the Windows
> native SSL implementation rather than OpenSSL and it seems that there
> would be significant advantages in having that capability.

Another thing of the same sort that should be on our radar is making
use of Apple's TLS code on macOS. The handwriting on the wall is
unmistakable that they intend to stop shipping OpenSSL before long,
and I do not think we really want to be in a position of having to
bundle OpenSSL into our distribution on macOS.

I'm not volunteering to do that, mind you. But +1 for not tying new
features to any single TLS implementation.

regards, tom lane