What
OpenSSL is an opt-in feature today (CMakeLists.txt:184-189). For production defaults, OpenSSL should be enabled by default, and the repository should document how the project maps to ISO/IEC 27001 A.10 (cryptography) and A.13 (communication security).
- Current: OpenSSL optional; no ISO 27001 compliance docs
- Expected: OpenSSL ON by default;
docs/compliance/ISO_27001.md added
- Scope:
CMakeLists.txt, docs/compliance/**, vcpkg.json defaults
Why
- Shipping a database client with TLS off-by-default is a security smell
- Enterprise adopters ask for ISO 27001 evidence at procurement time
- Brings database into line with
logger_system and pacs_system security stance
How
Technical Approach
- Flip
USE_OPENSSL default to ON, keep opt-out for minimal embedded builds
- Verify
secure_connection.h covers TLS 1.2+ and certificate validation
- Author
docs/compliance/ISO_27001.md mapping A.10 / A.13 controls to features
- Update README with a "Security posture" section
Acceptance Criteria
What
OpenSSL is an opt-in feature today (
CMakeLists.txt:184-189). For production defaults, OpenSSL should be enabled by default, and the repository should document how the project maps to ISO/IEC 27001 A.10 (cryptography) and A.13 (communication security).docs/compliance/ISO_27001.mdaddedCMakeLists.txt,docs/compliance/**, vcpkg.json defaultsWhy
logger_systemandpacs_systemsecurity stanceHow
Technical Approach
USE_OPENSSLdefault to ON, keep opt-out for minimal embedded buildssecure_connection.hcovers TLS 1.2+ and certificate validationdocs/compliance/ISO_27001.mdmapping A.10 / A.13 controls to featuresAcceptance Criteria