Greetings, On Sat, Dec 9, 2023 at 17:29 Bruce Momjian <br...@momjian.us> wrote:
> On Fri, Dec 8, 2023 at 05:42:27PM +0000, PG Doc comments form wrote: > > The following documentation comment has been logged on the website: > > > > Page: https://www.postgresql.org/docs/16/preventing-server-spoofing.html > > Description: > > > > When I read: > > To prevent spoofing on TCP connections, either use SSL certificates and > make > > sure that clients check the server's certificate, or use GSSAPI > encryption > > (or both, if they're on separate connections). > > > > It takes some thought to figure out what "separate connections" are being > > referred to. Does it mean separate TLS connection and > > non-tls-with-gssapi-encryption? Short answer here is “yes, you understand correctly.” I have no idea. It was added in this commit: … Agreed that the wording isn’t great. The idea is that you can use both TLS and GSSAPI-with-encryption at the same time within a given cluster for connections but you wouldn’t use them on the same connection. Certainly would welcome suggestions as to the best way to phrase that. Thanks, Stephen >
