On Thu, Oct 19, 2017 at 1:15 AM, Satyanarayana Narlapuram
wrote:
> Tom, Robert, Microsoft is interested in supporting windows SChannel for
> Postgres. Please let know how we can help taking this forward. We would love
> contributing to this either by enhancing the original patch provided by
> H
Subject: Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement
Robert Haas writes:
> Heikki, do you have any plans to work more on this?
> Or does anyone else?
FWIW, I have some interest in the Apple Secure Transport patch that is in the
CF queue, and will probably pick that up a
On Wed, Oct 18, 2017 at 2:50 PM, Tom Lane wrote:
> Robert Haas writes:
>> Heikki, do you have any plans to work more on this?
>> Or does anyone else?
>
> FWIW, I have some interest in the Apple Secure Transport patch that
> is in the CF queue, and will probably pick that up at some point if
> no
Robert Haas writes:
> Heikki, do you have any plans to work more on this?
> Or does anyone else?
FWIW, I have some interest in the Apple Secure Transport patch that
is in the CF queue, and will probably pick that up at some point if
no one beats me to it (but it's not real high on my to-do list).
On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas
wrote:
> On 08/06/2014 08:37 PM, Jeff Janes wrote:
>>
>> But now it looks like 0002 needs a rebase
>
> I've committed the refactoring patch, and here's a rebased and improved
> version of the Windows SChannel implementation over that.
>
> Ser
Heikki Linnakangas writes:
> On 08/15/2014 08:16 PM, Jeff Janes wrote:
>> Should the ereport DEBUG2 be inside the "#ifdef USE_SSL"?
> Yeah.
> I've been thinking though, perhaps we should always have the ssl_in_use,
> peer_cn and peer_cert_valid members in the Port struct. If not compiled
> wit
On 08/15/2014 08:16 PM, Jeff Janes wrote:
On Tue, Aug 12, 2014 at 10:52 AM, Heikki Linnakangas <
hlinnakan...@vmware.com> wrote:
On 08/06/2014 08:37 PM, Jeff Janes wrote:
But now it looks like 0002 needs a rebase
I've committed the refactoring patch, and here's a rebased and improved
ve
On Tue, Aug 12, 2014 at 10:52 AM, Heikki Linnakangas <
hlinnakan...@vmware.com> wrote:
> On 08/06/2014 08:37 PM, Jeff Janes wrote:
>
>> But now it looks like 0002 needs a rebase
>>
>
> I've committed the refactoring patch, and here's a rebased and improved
> version of the Windows SChannel imp
On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas
wrote:
> This isn't a showstopper, but needs some thought. As the patch stands, it
> uses a single key container called "PostgreSQL server key container", and
> makes no attempt to delete the keys after they're no longer used. That
> works, but i
On 08/06/2014 08:37 PM, Jeff Janes wrote:
But now it looks like 0002 needs a rebase
I've committed the refactoring patch, and here's a rebased and improved
version of the Windows SChannel implementation over that.
Server-side support is now implemented too, but it's all very crude and
w
On Fri, Aug 1, 2014 at 10:58 AM, Heikki Linnakangas wrote:
> On 07/08/2014 08:11 PM, Jeff Janes wrote:
>
>> Is there some recipe for testing the 0002 patch? Can it be tested on an
>> MinGW environment, or does it need to use the MicroSoft supplied
>> compilers?
>>
>
> I used MSVC. It ought to wo
On 07/08/2014 08:11 PM, Jeff Janes wrote:
Is there some recipe for testing the 0002 patch? Can it be tested on an
MinGW environment, or does it need to use the MicroSoft supplied compilers?
I used MSVC. It ought to work with MinGW, I think, although you might
need to tweak the Makefiles to ma
On 07/11/2014 08:39 PM, Alvaro Herrera wrote:
Heikki Linnakangas wrote:
I did again the refactoring you did back in 2006, patch attached.
One thing I did differently: I moved the raw, non-encrypted,
read/write functions to separate functions: pqsecure_raw_read and
pqsecure_raw_write. Those func
Heikki Linnakangas wrote:
> I did again the refactoring you did back in 2006, patch attached.
> One thing I did differently: I moved the raw, non-encrypted,
> read/write functions to separate functions: pqsecure_raw_read and
> pqsecure_raw_write. Those functions encapsulate the SIGPIPE
> handling.
On Thu, Jun 26, 2014 at 4:26 PM, Andreas Karlsson wrote:
> On 06/24/2014 03:20 AM, Jeff Janes wrote:
>
>> I've tried your 0001 patch, reflecting this refactoring, on Linux and it
>> caused 'make check' to hang at 'starting postmaster'.
>>
>
> I found the bug in the code, and I have attached the a
On 06/24/2014 03:20 AM, Jeff Janes wrote:
I've tried your 0001 patch, reflecting this refactoring, on Linux and it
caused 'make check' to hang at 'starting postmaster'.
I found the bug in the code, and I have attached the a patch which you
can apply on top of the patch. The regression tests pa
On Wed, Jun 11, 2014 at 7:51 AM, Heikki Linnakangas
wrote:
>
>
> I did again the refactoring you did back in 2006, patch attached. One
thing
> I did differently: I moved the raw, non-encrypted, read/write functions to
> separate functions: pqsecure_raw_read and pqsecure_raw_write. Those
> function
On Mon, Jun 9, 2014 at 7:45 PM, Heikki Linnakangas
wrote:
> On 06/09/2014 06:03 PM, Magnus Hagander wrote:
>
>> One tricky part is that programs like to use libpq for the
>>
>>> >authentication, and then they hijack the connection using PGgetssl().
>>> >
>>>
>> Is there*anybody* other than odbc
On 06/09/2014 06:03 PM, Magnus Hagander wrote:
One tricky part is that programs like to use libpq for the
>authentication, and then they hijack the connection using PGgetssl().
>
Is there*anybody* other than odbc that does that? Do we actually need a
published API for that, or just a hack for
On Mon, Jun 09, 2014 at 11:39:17PM +0900, MauMau wrote:
> From: "Heikki Linnakangas"
> >Thoughts? While we're at it, we'll probably want to refactor
> >things so that it's easy to support other SSL implementations too,
> >like gnutls.
>
> That may be good because it provides users with choices.
On Mon, Jun 9, 2014 at 4:39 PM, Martijn van Oosterhout
wrote:
> On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote:
> > On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson
> wrote:
> >
> > > On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
> > > There was a patch set for this from Mar
On Mon, Jun 9, 2014 at 10:40 AM, Heikki Linnakangas
wrote:
> Right. I have no idea what SChannel's track record is, but when there's a
> vulnerability in the native SSL implementation in Windows, you better
> upgrade anyway, regardless of PostgreSQL. So when we rely on that, we don't
> put any ext
On 06/09/2014 05:22 PM, Andres Freund wrote:
Hi,
On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
Does SChannel have a better security track record than OpenSSL? Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?
Well, it's patched as part of the O
On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote:
> On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson wrote:
>
> > On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
> > There was a patch set for this from Martijn van Oosterhout which was quite
> > complete.
> >
> > http://www.postgr
From: "Heikki Linnakangas"
Thoughts? While we're at it, we'll probably want to refactor things so
that it's easy to support other SSL implementations too, like gnutls.
That may be good because it provides users with choices. But I wonder if it
is worth the complexity and maintainability of P
Hi,
On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
> Does SChannel have a better security track record than OpenSSL? Or is
> the point here just that we can define it as not our problem when a
> vulnerability surfaces?
Well, it's patched as part of the OS - so no new PG binaries have to be
releas
Heikki Linnakangas writes:
> I've been looking at Windows' native SSL implementatation, the SChannel
> API. It would be nice to support that as a replacement for OpenSSL on
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
> installers, which is annoying because whenever Op
On Mon, Jun 9, 2014 at 3:02 PM, Marko Kreen wrote:
> On Mon, Jun 09, 2014 at 02:45:08PM +0300, Heikki Linnakangas wrote:
> > Thoughts? While we're at it, we'll probably want to refactor things
> > so that it's easy to support other SSL implementations too, like
> > gnutls.
>
> One project that is
On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson wrote:
> On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
>
>> Thoughts? While we're at it, we'll probably want to refactor things so
>> that it's easy to support other SSL implementations too, like gnutls.
>>
>
> There was a patch set for this fr
On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
Thoughts? While we're at it, we'll probably want to refactor things so
that it's easy to support other SSL implementations too, like gnutls.
There was a patch set for this from Martijn van Oosterhout which was
quite complete.
http://www.postg
On Mon, Jun 09, 2014 at 02:45:08PM +0300, Heikki Linnakangas wrote:
> Thoughts? While we're at it, we'll probably want to refactor things
> so that it's easy to support other SSL implementations too, like
> gnutls.
One project that is proud to support several SSL implementations
is curl: http://cu
On 2014-06-09 13:53:15 +0200, Magnus Hagander wrote:
> The main other entries I've been looking at are NSS and gnutls, both of
> which can speak our current file formats. I think the right thing is to
> start with those and thereby make it more pluggable, and only after that
> tackle schannel. But
On 06/09/2014 02:53 PM, Magnus Hagander wrote:
Also, my memory says that SChannel doesn't support the key file format that
we use now, which makes a much bigger break with the supported platforms.
That may have changed of course - have you researched that part?
A quick web search turned up a fe
On Monday, June 9, 2014, Heikki Linnakangas wrote:
> Hi,
>
> I've been looking at Windows' native SSL implementatation, the SChannel
> API. It would be nice to support that as a replacement for OpenSSL on
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
> installers, which i
Hi,
I've been looking at Windows' native SSL implementatation, the SChannel
API. It would be nice to support that as a replacement for OpenSSL on
Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,
installers, which is annoying because whenever OpenSSL puts out a new
release
35 matches
Mail list logo