> On 30 May 2017, at 16:50, Tom Lane <t...@sss.pgh.pa.us> wrote: > > Robert Haas <robertmh...@gmail.com> writes: >> On Sat, May 27, 2017 at 5:59 PM, Álvaro Hernández Tortosa >> <a...@8kdata.com> wrote: >>> - tls-unique, as you mentioned, uses two undocumented APIs. This raises a >>> small flag about the stability and future of those APIs. > >> It seems to me that the question is not just whether those APIs will >> be available in future versions of OpenSSL, but whether they will be >> available in every current and future version of every SSL >> implementation that we may wish to use in core or that any client may >> wish to use. We've talked before about being able to use the Windows >> native SSL implementation rather than OpenSSL and it seems that there >> would be significant advantages in having that capability. > > Another thing of the same sort that should be on our radar is making > use of Apple's TLS code on macOS. The handwriting on the wall is > unmistakable that they intend to stop shipping OpenSSL before long, > and I do not think we really want to be in a position of having to > bundle OpenSSL into our distribution on macOS. > > I'm not volunteering to do that, mind you. But +1 for not tying new > features to any single TLS implementation.
Big +1. The few settings we have already make it hard to provide other implementations as drop-in replacements (Secure Transport doesn’t support .crl files for example, only CRL loaded in Keychains). cheers ./daniel -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers