| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | edgecase14(at)gmail(dot)com, pgsql-docs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: unclear wording re: spoofing prevention on network connections |
| Date: | 2023-12-09 16:52:52 |
| Message-ID: | CAOuzzgpKGS5HtT5e=5DsKuUmm0Q2MQkp_n0vWBk0y74g6qzdTg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
Greetings,
On Sat, Dec 9, 2023 at 17:29 Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> On Fri, Dec 8, 2023 at 05:42:27PM +0000, PG Doc comments form wrote:
> > The following documentation comment has been logged on the website:
> >
> > Page: https://www.postgresql.org/docs/16/preventing-server-spoofing.html
> > Description:
> >
> > When I read:
> > To prevent spoofing on TCP connections, either use SSL certificates and
> make
> > sure that clients check the server's certificate, or use GSSAPI
> encryption
> > (or both, if they're on separate connections).
> >
> > It takes some thought to figure out what "separate connections" are being
> > referred to. Does it mean separate TLS connection and
> > non-tls-with-gssapi-encryption?
Short answer here is “yes, you understand correctly.”
I have no idea. It was added in this commit:
…
Agreed that the wording isn’t great.
The idea is that you can use both TLS and GSSAPI-with-encryption at the
same time within a given cluster for connections but you wouldn’t use them
on the same connection. Certainly would welcome suggestions as to the best
way to phrase that.
Thanks,
Stephen
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2023-12-09 17:01:43 | Re: unclear wording re: spoofing prevention on network connections |
| Previous Message | Bruce Momjian | 2023-12-09 16:29:00 | Re: unclear wording re: spoofing prevention on network connections |