Alternative TLS implementation using WinAPI Schannel

[Kazmirchuk]

Hello,
The current support TLS in nats.c based exclusively on OpenSSL has certain concerns on Windows, such as:

• no integration with the Windows certificate store out-of-the-box (I can workaround it by loading all certificates myself into natsOptions_SetCATrustedCertificates but I'm still not sure about reliability of this approach)
• OpenSSL is not available on Windows, so we need to ship our own build of OpenSSL in our product's installer, which might complicate (or even make impossible) the audit for STIG or FIPS 140-2 etc

These drawbacks can be avoided if nats.c includes an alternative TLS implementation using Windows Schannel Security Service Provider - something like this example, I suppose. Git is a notable example of an application that supports both OpenSSL and Schannel backends.

I realize that this work might be far beyond your commitment, so I'm raising this enhancement issue to ask, whether you would accept a PR with this implementation.

[Kazmirchuk]

any opinion on this?
btw I noticed support for Windows certificate store in the NATS roadmap as well

[Kazmirchuk]

Hello,

this is still relevant for us. Would a PR be welcome or this does not fit in your roadmap? do other NATS clients allow to choose a TLS backend?

[levb]

@Kazmirchuk I don't really see why we would not (gratefully) accept a PR that provided an optional, Windows-native implementation. Elsewhere we rely on OpenSSL, and do not have other optional implementations.