Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4lUt-002XAz-1k for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 20:03:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w4lUs-001zlG-0G for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 20:03:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4GRk-00CyTG-0c for pgsql-hackers@lists.postgresql.org; Sun, 22 Mar 2026 10:54:16 +0000 Received: from mail-pf1-x42f.google.com ([2607:f8b0:4864:20::42f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w4GRh-00000000UEx-0oXp for pgsql-hackers@lists.postgresql.org; Sun, 22 Mar 2026 10:54:16 +0000 Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-8299f1ca894so2023327b3a.2 for ; Sun, 22 Mar 2026 03:54:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774176851; cv=none; d=google.com; s=arc-20240605; b=G6mm8I75C3P3GVMwRCGNrHzJLl1b/EXEBhUXzDbAe+qv1Rrb0rX2RVMQp9+AvB3Aj7 wrq2pmrFvlKTLoETEa1LtP4MmWbm5BMaTi1sIvX0tqTjzjBQJSKzGxYPSOUfJpEe+sHg q5+sjZGNDXu7afQqMQ5z8XOGG4lHmORjHTZMM1lYkGuQMgGvCJOiIm77x3uysnCx50qP +TW7yvRGvvbLWjYOaoa9wC+PRpJSylRwxw6YnmD8kZnOU+TMuqg7Qxfjvev+yv8HkHuj A6Uu7P4xwdLotAwric4f59vO3iltku9nVkO9ohOI29gtS2H9Q2adruCrVTdLKouP7+jl qdag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=nCEw32NO3FTtDutqYxm1qW81LwPamZCGBSYfNC3UE3c=; fh=OdEI8of3SJPZPjTipKYieZyVZS2HjpN1uu7Nq2MFLlU=; b=X20rtTp/v2K5TiR7cvHybwvMBL4+tK8BTKs9P3F3vzbsmAc7x0AS4AKTYlE4iS0WBl XSwV4dRd4TzFQBvRbcbsFHbQqhj1gOFV/XSH417je4tdogJ3kR+CidcyV2f6nPzWIaIF EiLcmyK1Gjv1sjhtvcOjBiVii42QNgFGjfmvZxqrpE2aGzKMCcR2+icfEWhqyPp9UWaC qDfB33ybR2RL/px9GsXR0+1LzF3kJ7I9yhjvD+uns8KWWhQhQsXn+D+OASmQFndnrahN XHVR1wis3dGGqQfySQZ6oVm7k3PsNbXPqLgxWUubZT/YQIiJ22YWjnunhG4UNFQEekVI P9Pw==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774176851; x=1774781651; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nCEw32NO3FTtDutqYxm1qW81LwPamZCGBSYfNC3UE3c=; b=Cp2PU1xkCW9geXUZRYVvXsqoHXAn9aTHN+fHFmzbSgBOq6J6akDONtUqnW5nBj3J6z T0LyDcW17cBs08+R8mqkPfMn2gfaMkyq6L7pVHszvzN98n3DgSGf8aXatR/dFhmw7zZs hkpv74XO8WIII3AriCJdu1UUSKs/5EYv8Nunm45snbsOl01AYxtO/gAYMCFWdXT6YjcT Pne7+X16EPhrU2BxhiU0q/5Owey1eDKhbpua7Q7D1SH9zNTA4jd+fE96hCbNY3hIlgRE rp/jUMR7ocBshZGQYimNGYYkXRrrJH+t31anwxpAwmwEdZQcv5fxoP2wGdPKTvZJSJAz QwSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774176851; x=1774781651; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nCEw32NO3FTtDutqYxm1qW81LwPamZCGBSYfNC3UE3c=; b=nteqluHRhk9bTAb78UwrRc50/SPMHLZ2g4Zvad49dMpRaPrjaU99iQVzmwoNZnfjXP Dw6Tcx6Q9ZLJcbc2cbZZYAYCeGuBc+ssU+HCD2Lpp6nPB6bi8bLrzreD1OGDLLCeaprl bfMtNIzcdYuoe7/QPlhaNsPQytwnz9lLUxzn3y/MVPuH0IlyEgznh6+p4gpLtOOL+XUh bwa/hz90qxetzPYI3LICy3Ehv0BGXVFh3mHV8Iu9iM/eSK9itcRRfHoA5nSjpi55F3Xj sndycXEmdxNtIbCOsFDcQIZOtCvTXua1M0prHG7mAQ/XW2Y9x9l1+SB3sL+C+o7rGlwM BoFg== X-Gm-Message-State: AOJu0YwjRa3Wh/Wz34ENL1myhvljpcH9rSIIWfeU9xXAyf7wnjeRJm13 7OQ/kimf9HYiMMH8jTaj1D9P/m1zgf2xBuX3EPdzMNFgmsxlEQSRhrl9UHLv0VxmG9oF7Z6Rz53 SssuBexTmjJilE/kCtau9/52mezcWrBc= X-Gm-Gg: ATEYQzyAffpsqCwtQktl59bNdTkpcju33il+iMQE4Wn9Jz6R93hc8WRzTah5FMDUlYy MMMdVwbWblAW+jfvi6jH56dQSP1sCUZoTH5lkUTrzeuyuMdiJS9NuK+qrRA01PvmjYmD9gj1AMt qO5Q9cRJXwz+IhBjja8cf0647Q3/lmQfK8wXVj2Yu+PSqtP/xLyj8OGt+6IpMCjWGlCJpRBmlWO dhjVThR8GugLHqNfLFdfguwiCrSPlL+zsOFXMPAJSzky1uPVkCJQSY6W0OHem0mEJXO2BqRv9dJ ACcF0iRMBCfCH/ZRPOvgxIOoCYIc8UuOlkNhsq3O X-Received: by 2002:a05:6a00:2394:b0:819:5db9:6ac0 with SMTP id d2e1a72fcca58-82a8c35cfc7mr6630750b3a.37.1774176850487; Sun, 22 Mar 2026 03:54:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Enrique Soriano Date: Sun, 22 Mar 2026 11:53:59 +0100 X-Gm-Features: AaiRm50BbkHkg9O6FynpQZmB7YZHJuK1-byLkIqhByw17fsqZUir4MKk2d0tZAU Message-ID: Subject: Re: Proposal: Implementing Botan as an alternative TLS backend for PostgreSQL To: Javier Gutierrez-Maturana sanchez Cc: pgsql-hackers@lists.postgresql.org, Gorka Guardiola Content-Type: multipart/alternative; boundary="000000000000f12d3b064d9abce8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000f12d3b064d9abce8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I=E2=80=99m not quite sure why I was included in this thread, I am not inte= rested in this topic. Kindly remove me from any future emails. Regards, Enrique On Sat, 21 Mar 2026 at 19:44, Javier Gutierrez-Maturana sanchez < fj.gutierrezs91@gmail.com> wrote: > > > Hello PostgreSQL community, > > I would like to start a discussion regarding the feasibility of decouplin= g > our current TLS implementation to allow for alternative cryptographic > backends, specifically **Botan** (via its C wrapper). > > While OpenSSL is the current standard, the "rules of the game" in softwar= e > engineering are changing. The advent of advanced AI-assisted development > tools now provides the technical viability to undertake significant > refactorings=E2=80=94such as abstracting the network security layer=E2=80= =94with much > higher precision and lower overhead than in the past. > > The primary motivation for adding Botan support is **compliance and > architectural flexibility**: > > 1. **Regulatory Requirements:** In jurisdictions like Spain, the **CCN > (Centro Criptol=C3=B3gico Nacional)** sets specific standards for cryptog= raphic > modules. Having an alternative like Botan facilitates certification in > these restricted environments. > 2. **Architectural Robustness:** A provider-agnostic TLS layer makes > PostgreSQL more resilient to library-specific vulnerabilities or licensin= g > changes. > 3. **Modern Integration:** Using Botan's C wrappers allows the engine to > benefit from a modern C++ cryptographic core while maintaining the > project's C-based architecture. > > I am interested in knowing the community's stance on abstracting > `be-secure-openssl.c` into a more generic interface. > > Best regards, > > [Tu Nombre] > > --- > > ### Appendix: Proof of Concept - Proxy Model with Botan > > To validate the viability of Botan in high-security environments without > depending on OpenSSL's native integration, I have developed a reference > implementation available at: > =F0=9F=91=89 [ > https://github.com/jgmatu/management-sensors](https://github.com/jgmatu/m= anagement-sensors) > > **Architectural Model:** > In this project, I implemented a **Quantum-Safe Proxy** that acts as a > bridge between non-PQC clients and the core system. Key features of this > model include: > > * **Decoupled TLS Engine:** Using `QuantumSafeTlsEngine` (based on Botan > TLS v1.3) to handle all secure handshakes independently of the applicatio= n > logic. > * **Reactive Event Bus:** Utilizing PostgreSQL's `LISTEN/NOTIFY` mechanis= m > to manage state and configurations without direct coupling between the > server and the controllers. > * **Post-Quantum Ready:** Demonstrating that Botan can provide PQC > (Post-Quantum Cryptography) algorithms today, which is a requirement > increasingly demanded by national security agencies like the CCN. > > This proxy model proves that Botan is not only a viable alternative but > also provides advanced features that are currently difficult to implement > with a hard dependency on OpenSSL. > > --000000000000f12d3b064d9abce8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I=E2=80=99m not quite sure why I was included in= this thread, I am not interested in this topic.=C2=A0Kindly remove me from any future ema= ils.

<= div style=3D"font-family:"google sans","helvetica neue"= ,sans-serif;font-size:inherit;font-style:normal;font-weight:400;letter-spac= ing:normal;text-transform:none;white-space:normal;word-spacing:0px;text-dec= oration:none" dir=3D"auto">Regards,
Enrique

On Sat, 21 Mar 2026 at 19:44, Javier Gutierrez-Maturana sanchez &= lt;fj.gutierrezs91@gmail.com> wrote:





The primary motivation= for adding Botan support is **compliance and architectural flexibility**:<= /div>

1. **Regulatory Require= ments:** In jurisdictions like Spain, the **CCN (Centro Criptol=C3=B3gico N= acional)** sets specific standards for cryptographic modules. Having an alt= ernative like Botan facilitates certification in these restricted environme= nts.
2. **Architectural Robustness:** A provider-ag= nostic TLS layer makes PostgreSQL more resilient to library-specific vulner= abilities or licensing changes.
3. **Modern Integra= tion:** Using Botan's C wrappers allows the engine to benefit from a mo= dern C++ cryptographic core while maintaining the project's C-based arc= hitecture.

I am interest= ed in knowing the community's stance on abstracting `be-secure-openssl.= c` into a more generic interface.

Best regards,

= [Tu Nombre]

---



**Architectural Model:**
In this project, I implemented a **Quantum-Safe Proxy** that act= s as a bridge between non-PQC clients and the core system. Key features of = this model include:

* **= Decoupled TLS Engine:** Using `QuantumSafeTlsEngine` (based on Botan TLS v1= .3) to handle all secure handshakes independently of the application logic.=
* **Reactive Event Bus:** Utilizing PostgreSQL'= s `LISTEN/NOTIFY` mechanism to manage state and configurations without dire= ct coupling between the server and the controllers.
= * **Post-Quantum Ready:** Demonstrating that Botan can provide PQC (Post-Qu= antum Cryptography) algorithms today, which is a requirement increasingly d= emanded by national security agencies like the CCN.
=
This proxy model proves that Botan is not only = a viable alternative but also provides advanced features that are currently= difficult to implement with a hard dependency on OpenSSL.

--000000000000f12d3b064d9abce8--