On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:

Also, last I checked OpenSSL didn't ship with Windows and Kerberos
encryption did.
How long ago did you check? I've been using OpenSSL on windows for many years. Actually, it was supported just fine on Windows back when it was
added to PostgreSQL *at least*.

I didn't say *available for download*, I said *ship with*. That is, does a Windows Vista Pro box from the factory come with OpenSSL on it? It does
come with Microsoft SSPI, although I don't know compatibility issues.

No, of course not. Microsoft OSes don't ship with *any* third party
software. So yeah, didn't get what you meant, and you do have a point
there. Provided the SSPI stuff actually does gssapi encryption - but
I'll trust the people who say it does. I've only ever used the
authentication parts myself.

The SSPI has encryption and integrity functions, just like the GSSAPI. I don't remember Jeffrey Altman's interop example code well enough to say if he demonstrates that they interoperate as well. Spending 5 seconds looking at it, the SSPI appears to make a distinction between message and stream encryption that the GSSAPI does not make, so there is at least some profiling needed to identify what's common. I suspect that interoperability was intended. If we find bugs and tell the right people Microsoft might even fix them someday.

As to the question of GSSAPI vs SSL, I would never argue we don't want both.

Part of what made the GSSAPI encryption mods difficult was my intent to insert them "above" the SSL encryption/buffering layer. That way you could double-encrypt the channel. Since GSSAPI and SSL are (probably, not necessarily) referenced to completely different ID infrastructure there are scenarios where that's beneficial.

(The other thing that made it hard is that I needed to make changes in different places in the FE and the BE versions of libpq in order to get the same effect.)

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Reply via email to