Hi,
I've been looking at Windows' native SSL implementatation, the SChannel
API. It would be nice to support that as a replacement for OpenSSL on
Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
installers, which is annoying because whenever OpenSSL puts out a new
release that fixes vulnerabilities, we need to do a security release of
PostgreSQL on Windows. I was reminded of this recently wrt. psqlODBC,
which bundles libpq and openssl as well. It's particularly annoying for
psqlODBC and other client applications, as people typically update it
less diligently than their servers.
I think that we should keep the user-visible behavior the same, i.e. the
libpq connection options, locations of the certificate files etc. would
all be the same regardless of which SSL implementation is used. Using
Windows SChannel API might make it possible to integrate better with
Windows' own certificate store etc. but I don't really know much about
that stuff, so for starters I'd like to just use it as a drop-in
replacement for OpenSSL.
Thoughts? While we're at it, we'll probably want to refactor things so
that it's easy to support other SSL implementations too, like gnutls.
- Heikki