On Sat, Dec 9, 2023 at 17:29 Bruce Momjian <bruce@momjian.us> wrote:
On Fri, Dec 8, 2023 at 05:42:27PM +0000, PG Doc comments form wrote: > The following documentation comment has been logged on the website: > > Page: https://www.postgresql.org/docs/16/preventing-server-spoofing.html > Description: > > When I read: > To prevent spoofing on TCP connections, either use SSL certificates and make > sure that clients check the server's certificate, or use GSSAPI encryption > (or both, if they're on separate connections). > > It takes some thought to figure out what "separate connections" are being > referred to. Does it mean separate TLS connection and > non-tls-with-gssapi-encryption?
Short answer here is “yes, you understand correctly.”
I have no idea. It was added in this commit:
…
Agreed that the wording isn’t great.
The idea is that you can use both TLS and GSSAPI-with-encryption at the same time within a given cluster for connections but you wouldn’t use them on the same connection. Certainly would welcome suggestions as to the best way to phrase that.