Greetings, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 2019-09-17 22:22, Tom Lane wrote: > > Peter Eisentraut <peter.eisentr...@2ndquadrant.com> writes: > >> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost) > >> This allows TCP/IP connections to be encrypted when using GSSAPI > >> authentication without having to set up a separate encryption facility > >> like SSL. > > Hmm, does that imply that you don't have to have compiled --with-openssl, > > or just that you don't have to bother with setting up SSL certificates? > > But you already don't have to do the latter. I'd be the first to admit > > that I know nothing about GSSAPI, but this text still doesn't enlighten > > me about why I should learn. > > It means, more or less, if you already have the client and the server do > the GSS dance for authentication, you just have to turn on an additional > flag and they'll also encrypt the communication while they're at it. > > This does not require SSL support. > > So if you already have a Kerberos infrastructure set up, you can get > wire encryption for almost free without having to set up a parallel SSL > CA infrastructure. Which is great for administration.
Right- and more-over, you *do* get mutual authentication between the client and the server when using Kerberos. This is markedly better than "TLS/SSL with snakeoil certs, just to get encryption"- it's just about equivilant to a full PKI environment with client and server validation and encryption, but without needing openssl or SSL of any kind. Thanks, Stephen
signature.asc
Description: PGP signature
