Re: Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:

> On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
>
>> Thoughts? While we're at it, we'll probably want to refactor things so
>> that it's easy to support other SSL implementations too, like gnutls.
>>
>
> There was a patch set for this from Martijn van Oosterhout which was quite
> complete.
>
> http://www.postgresql.org/message-id/20060504134807.GK4752@svana.org

A lot has, unfortunately, changed since 2006. It might be a good
startingpoint. But also actively starting from the point of "let's try to
support multiple libraries" rather than "let's try to support gnutls" is
probably also important.

I am interested in dropping the dependency on OpenSSL, if only to fix the
> situation with Debian, libreadline and OpenSSL[1].
>

That's one of the many reasons, yes :)

At some point we should design a new API, so that we can deprecate the old
one. Even if we don't hve the code ready, we need to get rid of PQgetssl(),
and replace it with something else. I'm thinking probably a functoin that
returns both a void pointer and an enum that tells you which library is
actually in use. And a boolean just saying "ssl on/off", because that's
what a lot of clients are interested in and they don't care aobut more than
that.

Obviously, we also have to do something about PQinitOpenSSL().

Unfortunately, I think it's too late to do that for 9.4 - otherwise it
would've been good to have a whole cycle of deprecation on it...

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/