Re: WIP: Secure Transport support as OpenSSL alternative on macOS

On Wed, Oct 5, 2016 at 8:42 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > On Wed, Oct 5, 2016 at 5:36 AM, Daniel Gustafsson <daniel(at)yesql(dot)se>
> wrote:
> >> The main questions raised here are: is it of interest to support
> multiple SSL
> >> libraries given the additional support burden and; is supporting Secure
> >> Transport of any interest or is it a wasted effort to continue towards
> a full
> >> frontend/backend/doc submission?
>
> > I think this is highly worthwhile. I wish we could interest someone
> > in doing the work for Windows ... but I'm a macOS user myself, so I'll
> > be happy to have you fix my future compile problems for me.
>
> "Future"? Apple isn't even shipping the OpenSSL headers anymore, and
> I imagine soon no libraries either. We really have got little choice
> on that platform but to do something with Secure Transport. I'm glad
> somebody is taking up the task.
>

Sure we do. Windows doesn't ship them either, and yet somehow Postgres
manages to work just fine there, including with openssl support. There's
nothing more magic about MacOS than there is for Windows.

That said, I agree that somebody is picking up the task. I actually think
it would be a lot more useful to get Windows SChannel support (because it's
*much* more of a PITA to get OpenSSL onto Windows than it is to get it onto
macOS) or even moreso NSS (because then every platform could use that, and
they have other integrations too). But one important point is that once we
have *two* implementations (openssl + macos) then we will know a lot more
about the correct places for abstractions etc, and and adding the third one
is probably going to be easier (but not easy). But let's make sure we keep
in mind there should be more than just these two implementation when
defining any external interfaces.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/