Quick Links

Re: Support for NSS as a libpq TLS backend

From:	Daniel Gustafsson <daniel(at)yesql(dot)se>
To:	Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>
Cc:	Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Julien Rouhaud <rjuju123(at)gmail(dot)com>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>
Subject:	Re: Support for NSS as a libpq TLS backend
Date:	2022-02-03 14:53:49
Message-ID:	87A43C79-A8FF-4C06-A3BF-288869E4AC02@yesql.se
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

> On 3 Feb 2022, at 15:07, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
>
> On 28.01.22 15:30, Robert Haas wrote:
>> I would really, really like to have an alternative to OpenSSL for PG.
>
> What are the reasons people want that? With OpenSSL 3, the main reasons -- license and FIPS support -- have gone away.

At least it will go away when OpenSSL 3 is FIPS certified, which is yet to
happen (submitted, not processed).

I see quite a few valid reasons to want an alternative, a few off the top of my
head include:

- Using trust stores like Keychain on macOS with Secure Transport. There is
AFAIK something similar on Windows and NSS has it's certificate databases.
Especially on client side libpq it would be quite nice to integrate with where
certificates already are rather than rely on files on disks.

- Not having to install OpenSSL, Schannel and Secure Transport would make life
easier for packagers.

- Simply having an alternative. The OpenSSL projects recent venture into
writing transport protocols have made a lot of people worried over their
bandwidth for fixing and supporting core features.

Just my $0.02, everyones mileage varies on these.

--
Daniel Gustafsson https://vmware.com/

In response to

Re: Support for NSS as a libpq TLS backend at 2022-02-03 14:07:42 from Peter Eisentraut

Responses

Re: Support for NSS as a libpq TLS backend at 2022-02-03 18:43:28 from Stephen Frost
Re: Support for NSS as a libpq TLS backend at 2022-02-03 19:16:00 from Peter Eisentraut

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	houzj.fnst@fujitsu.com	2022-02-03 15:10:48	RE: row filtering for logical replication
Previous Message	Dag Lem	2022-02-03 14:27:32	Re: daitch_mokotoff module