Re: [JDBC] Channel binding support for SCRAM-SHA-256

> On 30 May 2017, at 16:50, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Sat, May 27, 2017 at 5:59 PM, Álvaro Hernández Tortosa
>> <aht(at)8kdata(dot)com> wrote:
>>> - tls-unique, as you mentioned, uses two undocumented APIs. This raises a
>>> small flag about the stability and future of those APIs.
>
>> It seems to me that the question is not just whether those APIs will
>> be available in future versions of OpenSSL, but whether they will be
>> available in every current and future version of every SSL
>> implementation that we may wish to use in core or that any client may
>> wish to use. We've talked before about being able to use the Windows
>> native SSL implementation rather than OpenSSL and it seems that there
>> would be significant advantages in having that capability.
>
> Another thing of the same sort that should be on our radar is making
> use of Apple's TLS code on macOS. The handwriting on the wall is
> unmistakable that they intend to stop shipping OpenSSL before long,
> and I do not think we really want to be in a position of having to
> bundle OpenSSL into our distribution on macOS.
>
> I'm not volunteering to do that, mind you. But +1 for not tying new
> features to any single TLS implementation.

Big +1. The few settings we have already make it hard to provide other
implementations as drop-in replacements (Secure Transport doesn’t support
.crl files for example, only CRL loaded in Keychains).

cheers ./daniel