From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: some PostgreSQL 12 release notes comments |
Date: | 2019-10-02 07:09:30 |
Message-ID: | 20191002070930.GF6962@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 2019-09-17 22:22, Tom Lane wrote:
> > Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
> >> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
> >> This allows TCP/IP connections to be encrypted when using GSSAPI
> >> authentication without having to set up a separate encryption facility
> >> like SSL.
> > Hmm, does that imply that you don't have to have compiled --with-openssl,
> > or just that you don't have to bother with setting up SSL certificates?
> > But you already don't have to do the latter. I'd be the first to admit
> > that I know nothing about GSSAPI, but this text still doesn't enlighten
> > me about why I should learn.
>
> It means, more or less, if you already have the client and the server do
> the GSS dance for authentication, you just have to turn on an additional
> flag and they'll also encrypt the communication while they're at it.
>
> This does not require SSL support.
>
> So if you already have a Kerberos infrastructure set up, you can get
> wire encryption for almost free without having to set up a parallel SSL
> CA infrastructure. Which is great for administration.
Right- and more-over, you *do* get mutual authentication between the
client and the server when using Kerberos. This is markedly better than
"TLS/SSL with snakeoil certs, just to get encryption"- it's just about
equivilant to a full PKI environment with client and server validation
and encryption, but without needing openssl or SSL of any kind.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Antonin Houska | 2019-10-02 07:16:10 | Re: Attempt to consolidate reading of XLOG page |
Previous Message | Masahiko Sawada | 2019-10-02 07:01:38 | Re: pg_wal/RECOVERYHISTORY file remains after archive recovery |