Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
Since Schannel is closed source, it can be pretty difficult to debug when it doesn't work properly. CONC-417 / MDEV-13492 is an example of a bug with an unknown cause that has been very difficult to debug.
We may want to consider using a different TLS library than Schannel.
We can't use OpenSSL in MariaDB Connector/C's packages right now, because OpenSSL's custom license is incompatible with MariaDB Connector/C's LGPL license. There are plans to relicense OpenSSL with the Apache License 2.0, which would allow us to use it in MariaDB Connector/C's packages, but that process has not been completed.
In contrast, GnuTLS is already licensed as LGPL, so it can be used in MariaDB Connector/C's packages already.
If we moved from Schannel to GnuTLS on Windows, some potential changes are listed below.
Losses:
- MariaDB Connector/C doesn't support certificate revocation lists (CRLs) when it is built with GnuTLS, but it does support them when built with Schannel. - https://mariadb.com/kb/en/library/secure-connections-overview/#certificate-revocation-lists-crls
- Users wouldn't be able to get updates to MariaDB Connector/C's TLS library using Windows update.
Gains:
- MariaDB Connector/C doesn't support password-protected private keys when built with Schannel, but it does support them when built with GnuTLS.
Attachments
Issue Links
- relates to
-
CONC-391 Unknown SSL error - MariaDB
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-