Re: Supporting Windows SChannel as OpenSSL replacement

Heikki Linnakangas <hlinnakangas@vmware.com> writes:
> I've been looking at Windows' native SSL implementatation, the SChannel 
> API. It would be nice to support that as a replacement for OpenSSL on 
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, 
> installers, which is annoying because whenever OpenSSL puts out a new 
> release that fixes vulnerabilities, we need to do a security release of 
> PostgreSQL on Windows.

Does SChannel have a better security track record than OpenSSL?  Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?

I'm doubtful that we can ignore security issues affecting PG just because
somebody else is responsible for shipping the fix, and thus am concerned
that if we support N different SSL libraries, we will need to keep track
of N sets of vulnerabilities instead of just one.
        regards, tom lane