Re: some PostgreSQL 12 release notes comments

From: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: some PostgreSQL 12 release notes comments
Date: 2019-09-18 09:16:35
Message-ID: 877af7a0-57dd-b269-d305-0f8a3c5a9f49@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 2019-09-17 22:22, Tom Lane wrote:
> Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
>> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
>> This allows TCP/IP connections to be encrypted when using GSSAPI
>> authentication without having to set up a separate encryption facility
>> like SSL.
> Hmm, does that imply that you don't have to have compiled --with-openssl,
> or just that you don't have to bother with setting up SSL certificates?
> But you already don't have to do the latter. I'd be the first to admit
> that I know nothing about GSSAPI, but this text still doesn't enlighten
> me about why I should learn.

It means, more or less, if you already have the client and the server do
the GSS dance for authentication, you just have to turn on an additional
flag and they'll also encrypt the communication while they're at it.

This does not require SSL support.

So if you already have a Kerberos infrastructure set up, you can get
wire encryption for almost free without having to set up a parallel SSL
CA infrastructure. Which is great for administration.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Quan Zongliang 2019-09-18 09:33:44 Re: Add a GUC variable that control logical replication
Previous Message Peter Eisentraut 2019-09-18 09:11:02 Re: Add a GUC variable that control logical replication