From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |
Date: | 2017-05-30 20:04:53 |
Message-ID: | 6D8E8A58-A7A8-4829-A0F1-F50E5A130F3A@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-jdbc |
> On 30 May 2017, at 16:50, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Sat, May 27, 2017 at 5:59 PM, Álvaro Hernández Tortosa
>> <aht(at)8kdata(dot)com> wrote:
>>> - tls-unique, as you mentioned, uses two undocumented APIs. This raises a
>>> small flag about the stability and future of those APIs.
>
>> It seems to me that the question is not just whether those APIs will
>> be available in future versions of OpenSSL, but whether they will be
>> available in every current and future version of every SSL
>> implementation that we may wish to use in core or that any client may
>> wish to use. We've talked before about being able to use the Windows
>> native SSL implementation rather than OpenSSL and it seems that there
>> would be significant advantages in having that capability.
>
> Another thing of the same sort that should be on our radar is making
> use of Apple's TLS code on macOS. The handwriting on the wall is
> unmistakable that they intend to stop shipping OpenSSL before long,
> and I do not think we really want to be in a position of having to
> bundle OpenSSL into our distribution on macOS.
>
> I'm not volunteering to do that, mind you. But +1 for not tying new
> features to any single TLS implementation.
Big +1. The few settings we have already make it hard to provide other
implementations as drop-in replacements (Secure Transport doesn’t support
.crl files for example, only CRL loaded in Keychains).
cheers ./daniel
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2017-05-30 20:13:00 | Re: Segmentation fault when creating a BRIN, 10beta1 |
Previous Message | Daniel Gustafsson | 2017-05-30 19:54:22 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2017-05-31 00:59:13 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |
Previous Message | Daniel Gustafsson | 2017-05-30 19:54:22 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |