| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andreas Karlsson <andreas(at)proxel(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: GnuTLS support |
| Date: | 2017-09-01 18:11:09 |
| Message-ID: | E6E5596E-E891-41C7-8BCA-97D3C90A6352@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 01 Sep 2017, at 20:00, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> On Fri, Sep 1, 2017 at 1:10 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>>> On Thu, Aug 31, 2017 at 1:52 PM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:
>>>> I have seen discussions from time to time about OpenSSL and its licensing
>>>> issues so I decided to see how much work it would be to add support for
>>>> another TLS library, and I went with GnuTLS since it is the library I know
>>>> best after OpenSSL and it is also a reasonably popular library.
>>
>>> Thanks for working on this. I think it's good for PostgreSQL to have
>>> more options in this area.
>>
>> +1. We also have a patch in the queue to support macOS' TLS library,
>> and I suppose that's going to be facing similar issues. It would be
>> a good plan, probably, to try to push both of these to conclusion in
>> the same development cycle.
>
> The thing which I think would save the most aggravation - at least for
> my employer - is a Windows SSL implementation.
In 53EA546E(dot)6020404(at)vmware(dot)com, an early version of SChannel support was posted
by Heikki. If anyone is keen to pick up the effort that would most likely be a
good starting point.
> Relying on OpenSSL
> means that every time OpenSSL puts out a critical security fix, we've
> got to rewrap all the Windows installers to pick up the new version.
> If we were relying on what's built into Windows, it would be
> Microsoft's problem. Granted, it's not anybody's job to solve
> EnterpriseDB's problems except EnterpriseDB, but users might like it
> too -- and anyone else who is building Windows installers for
> PostgreSQL.
>
> Depending on macOS TLS instead of OpenSSL has similar advantages, of
> course, just for a somewhat less common platform.
I think providing alternatives to OpenSSL on platforms where OpenSSL can’t be
relied on to be already available (Windows and macOS come to mind) would be a
great thing for many users and app developers.
cheers ./daniel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2017-09-01 18:25:32 | Re: Missing SIZE_MAX |
| Previous Message | Robert Haas | 2017-09-01 18:06:40 | Re: Rename RECOVERYXLOG to RECOVERYWAL? |