RFC: Adding Mac support to secur32/schannel.c

[Henri Verbeet]

On 1 February 2011 02:08, Juan Lang <juan.lang at gmail.com> wrote:
> Sure, I can buy that.  I'll note that OpenSSL is also available for
> the Mac, and already loaded by wininet and winhttp.  It could be
> appropriate to move from GnuTLS to OpenSSL for schannel, so we'd only
> have a single implementation for both Linux and Mac in schannel.
>
Well, I think that regardless of what schannel ends up using, wininet
and winhttp should be implemented on top schannel in the long term,
instead of using OpenSSL directly. I don't think GnuTLS is really the
problem though, or that the existing schannel code is particularly
badly implemented. It seems to me that it's more a case of the
schannel / secur32 API being somewhat unclear, even to the
applications actually using it. Tests would certainly help there, but
what IMO complicates writing them is that only the client part of
schannel is currently implemented.

>> Well, it doesn't help make schannel less buggy, but it doesn't aim to.  However, it does help Macs without GnuTLS (the default) go from a completely non-functional schannel to a merely buggy schannel.
>
> I suppose that argument is also why we got the buggy (sorry, Henri)
> GnuTLS schannel in the first place.
Not really. IMO it's just a case of neglect. For what it's worth, at
some point the plan at CodeWeavers was that Hans would do some work on
schannel, but I assume msi bugs took priority there.