Since Schannel is closed source, it can be pretty difficult to debug when it doesn't work properly.
CONC-417 / MDEV-13492 is an example of a bug with an unknown cause that has been very difficult to debug.
We may want to consider using a different TLS library than Schannel.
We can't use OpenSSL in MariaDB Connector/C's packages right now, because OpenSSL's custom license is incompatible with MariaDB Connector/C's LGPL license. There are plans to relicense OpenSSL with the Apache License 2.0, which would allow us to use it in MariaDB Connector/C's packages, but that process has not been completed.
In contrast, GnuTLS is already licensed as LGPL, so it can be used in MariaDB Connector/C's packages already.
If we moved from Schannel to GnuTLS on Windows, some potential changes are listed below.
- MariaDB Connector/C doesn't support certificate revocation lists (CRLs) when it is built with GnuTLS, but it does support them when built with Schannel. - https://mariadb.com/kb/en/library/secure-connections-overview/#certificate-revocation-lists-crls
- Users wouldn't be able to get updates to MariaDB Connector/C's TLS library using Windows update.
- MariaDB Connector/C doesn't support password-protected private keys when built with Schannel, but it does support them when built with GnuTLS.