Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Thu, Oct 19, 2017 at 1:15 AM, Satyanarayana Narlapuram wrote: > Tom, Robert, Microsoft is interested in supporting windows SChannel for > Postgres. Please let know how we can help taking this forward. We would love > contributing to this either by

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

as Karlsson <andr...@proxel.se>; Martijn van Oosterhout <klep...@svana.org>; Magnus Hagander <mag...@hagander.net>; PostgreSQL-development <pgsql-hackers@postgresql.org> Subject: Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement Robert Haas <robertmh...@gmail

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Wed, Oct 18, 2017 at 2:50 PM, Tom Lane wrote: > Robert Haas writes: >> Heikki, do you have any plans to work more on this? >> Or does anyone else? > > FWIW, I have some interest in the Apple Secure Transport patch that > is in the CF queue, and will

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Robert Haas writes: > Heikki, do you have any plans to work more on this? > Or does anyone else? FWIW, I have some interest in the Apple Secure Transport patch that is in the CF queue, and will probably pick that up at some point if no one beats me to it (but it's not real

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas wrote: > On 08/06/2014 08:37 PM, Jeff Janes wrote: >> >> But now it looks like 0002 needs a rebase > > I've committed the refactoring patch, and here's a rebased and improved > version of the Windows SChannel

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Tue, Aug 12, 2014 at 10:52 AM, Heikki Linnakangas hlinnakan...@vmware.com wrote: On 08/06/2014 08:37 PM, Jeff Janes wrote: But now it looks like 0002 needs a rebase I've committed the refactoring patch, and here's a rebased and improved version of the Windows SChannel

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 08/15/2014 08:16 PM, Jeff Janes wrote: On Tue, Aug 12, 2014 at 10:52 AM, Heikki Linnakangas hlinnakan...@vmware.com wrote: On 08/06/2014 08:37 PM, Jeff Janes wrote: But now it looks like 0002 needs a rebase I've committed the refactoring patch, and here's a rebased and improved

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Heikki Linnakangas hlinnakan...@vmware.com writes: On 08/15/2014 08:16 PM, Jeff Janes wrote: Should the ereport DEBUG2 be inside the #ifdef USE_SSL? Yeah. I've been thinking though, perhaps we should always have the ssl_in_use, peer_cn and peer_cert_valid members in the Port struct. If not

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas hlinnakan...@vmware.com wrote: This isn't a showstopper, but needs some thought. As the patch stands, it uses a single key container called PostgreSQL server key container, and makes no attempt to delete the keys after they're no longer used.

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 08/06/2014 08:37 PM, Jeff Janes wrote: But now it looks like 0002 needs a rebase I've committed the refactoring patch, and here's a rebased and improved version of the Windows SChannel implementation over that. Server-side support is now implemented too, but it's all very crude and

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Fri, Aug 1, 2014 at 10:58 AM, Heikki Linnakangas hlinnakan...@vmware.com wrote: On 07/08/2014 08:11 PM, Jeff Janes wrote: Is there some recipe for testing the 0002 patch? Can it be tested on an MinGW environment, or does it need to use the MicroSoft supplied compilers? I used MSVC.

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 07/11/2014 08:39 PM, Alvaro Herrera wrote: Heikki Linnakangas wrote: I did again the refactoring you did back in 2006, patch attached. One thing I did differently: I moved the raw, non-encrypted, read/write functions to separate functions: pqsecure_raw_read and pqsecure_raw_write. Those

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 07/08/2014 08:11 PM, Jeff Janes wrote: Is there some recipe for testing the 0002 patch? Can it be tested on an MinGW environment, or does it need to use the MicroSoft supplied compilers? I used MSVC. It ought to work with MinGW, I think, although you might need to tweak the Makefiles to

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Heikki Linnakangas wrote: I did again the refactoring you did back in 2006, patch attached. One thing I did differently: I moved the raw, non-encrypted, read/write functions to separate functions: pqsecure_raw_read and pqsecure_raw_write. Those functions encapsulate the SIGPIPE handling. The

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Thu, Jun 26, 2014 at 4:26 PM, Andreas Karlsson andr...@proxel.se wrote: On 06/24/2014 03:20 AM, Jeff Janes wrote: I've tried your 0001 patch, reflecting this refactoring, on Linux and it caused 'make check' to hang at 'starting postmaster'. I found the bug in the code, and I have

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 06/24/2014 03:20 AM, Jeff Janes wrote: I've tried your 0001 patch, reflecting this refactoring, on Linux and it caused 'make check' to hang at 'starting postmaster'. I found the bug in the code, and I have attached the a patch which you can apply on top of the patch. The regression tests

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Monday, June 9, 2014, Heikki Linnakangas hlinnakan...@vmware.com wrote: Hi, I've been looking at Windows' native SSL implementatation, the SChannel API. It would be nice to support that as a replacement for OpenSSL on Windows. Currently, we bundle the OpenSSL library in the PostgreSQL,

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 06/09/2014 02:53 PM, Magnus Hagander wrote: Also, my memory says that SChannel doesn't support the key file format that we use now, which makes a much bigger break with the supported platforms. That may have changed of course - have you researched that part? A quick web search turned up a

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 2014-06-09 13:53:15 +0200, Magnus Hagander wrote: The main other entries I've been looking at are NSS and gnutls, both of which can speak our current file formats. I think the right thing is to start with those and thereby make it more pluggable, and only after that tackle schannel. But I

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 09, 2014 at 02:45:08PM +0300, Heikki Linnakangas wrote: Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. One project that is proud to support several SSL implementations is curl:

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 06/09/2014 01:45 PM, Heikki Linnakangas wrote: Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. There was a patch set for this from Martijn van Oosterhout which was quite complete.

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson andr...@proxel.se wrote: On 06/09/2014 01:45 PM, Heikki Linnakangas wrote: Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. There was a patch set for

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 3:02 PM, Marko Kreen mark...@gmail.com wrote: On Mon, Jun 09, 2014 at 02:45:08PM +0300, Heikki Linnakangas wrote: Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. One

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Heikki Linnakangas hlinnakan...@vmware.com writes: I've been looking at Windows' native SSL implementatation, the SChannel API. It would be nice to support that as a replacement for OpenSSL on Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, installers, which is annoying

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Hi, On 2014-06-09 10:18:40 -0400, Tom Lane wrote: Does SChannel have a better security track record than OpenSSL? Or is the point here just that we can define it as not our problem when a vulnerability surfaces? Well, it's patched as part of the OS - so no new PG binaries have to be released

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

From: Heikki Linnakangas hlinnakan...@vmware.com Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. That may be good because it provides users with choices. But I wonder if it is worth the complexity

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote: On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson andr...@proxel.se wrote: On 06/09/2014 01:45 PM, Heikki Linnakangas wrote: There was a patch set for this from Martijn van Oosterhout which was quite complete.

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 06/09/2014 05:22 PM, Andres Freund wrote: Hi, On 2014-06-09 10:18:40 -0400, Tom Lane wrote: Does SChannel have a better security track record than OpenSSL? Or is the point here just that we can define it as not our problem when a vulnerability surfaces? Well, it's patched as part of the

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 10:40 AM, Heikki Linnakangas hlinnakan...@vmware.com wrote: Right. I have no idea what SChannel's track record is, but when there's a vulnerability in the native SSL implementation in Windows, you better upgrade anyway, regardless of PostgreSQL. So when we rely on that,

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 4:39 PM, Martijn van Oosterhout klep...@svana.org wrote: On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote: On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson andr...@proxel.se wrote: On 06/09/2014 01:45 PM, Heikki Linnakangas wrote: There was a

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 09, 2014 at 11:39:17PM +0900, MauMau wrote: From: Heikki Linnakangas hlinnakan...@vmware.com Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls. That may be good because it provides users

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On 06/09/2014 06:03 PM, Magnus Hagander wrote: One tricky part is that programs like to use libpq for the authentication, and then they hijack the connection using PGgetssl(). Is there*anybody* other than odbc that does that? Do we actually need a published API for that, or just a hack for

Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

On Mon, Jun 9, 2014 at 7:45 PM, Heikki Linnakangas hlinnakan...@vmware.com wrote: On 06/09/2014 06:03 PM, Magnus Hagander wrote: One tricky part is that programs like to use libpq for the authentication, and then they hijack the connection using PGgetssl(). Is there*anybody* other than