Re: some PostgreSQL 12 release notes comments - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: some PostgreSQL 12 release notes comments
Date
Msg-id 20191002070930.GF6962@tamriel.snowman.net
Whole thread Raw
In response to Re: some PostgreSQL 12 release notes comments  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
List pgsql-hackers
Greetings,

* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote:
> On 2019-09-17 22:22, Tom Lane wrote:
> > Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> >> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
> >>   This allows TCP/IP connections to be encrypted when using GSSAPI
> >>   authentication without having to set up a separate encryption facility
> >>   like SSL.
> > Hmm, does that imply that you don't have to have compiled --with-openssl,
> > or just that you don't have to bother with setting up SSL certificates?
> > But you already don't have to do the latter.  I'd be the first to admit
> > that I know nothing about GSSAPI, but this text still doesn't enlighten
> > me about why I should learn.
>
> It means, more or less, if you already have the client and the server do
> the GSS dance for authentication, you just have to turn on an additional
> flag and they'll also encrypt the communication while they're at it.
>
> This does not require SSL support.
>
> So if you already have a Kerberos infrastructure set up, you can get
> wire encryption for almost free without having to set up a parallel SSL
> CA infrastructure.  Which is great for administration.

Right- and more-over, you *do* get mutual authentication between the
client and the server when using Kerberos.  This is markedly better than
"TLS/SSL with snakeoil certs, just to get encryption"- it's just about
equivilant to a full PKI environment with client and server validation
and encryption, but without needing openssl or SSL of any kind.

Thanks,

Stephen

Attachment

pgsql-hackers by date:

Previous
From: Masahiko Sawada
Date:
Subject: Re: pg_wal/RECOVERYHISTORY file remains after archive recovery
Next
From: Antonin Houska
Date:
Subject: Re: Attempt to consolidate reading of XLOG page