On Tue, May 01, 2007 at 04:26:13PM -0700, Henry B. Hotz wrote:
> 
> On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:
> 
> >>>>Also, last I checked OpenSSL didn't ship with Windows and Kerberos
> >>>>encryption did.
> >>>How long ago did you check? I've been using OpenSSL on windows  
> >>>for many
> >>>years. Actually, it was supported just fine on Windows back when  
> >>>it was
> >>>added to PostgreSQL *at least*.
> >>
> >>I didn't say *available for download*, I said *ship with*.  That  
> >>is, does a
> >>Windows Vista Pro box from the factory come with OpenSSL on it?   
> >>It does
> >>come with Microsoft SSPI, although I don't know compatibility issues.
> >
> >No, of course not. Microsoft OSes don't ship with *any* third party
> >software. So yeah, didn't get what you meant, and you do have a point
> >there. Provided the SSPI stuff actually does gssapi encryption - but
> >I'll trust the people who say it does. I've only ever used the
> >authentication parts myself.
> 
> The SSPI has encryption and integrity functions, just like the  
> GSSAPI.  I don't remember Jeffrey Altman's interop example code well  
> enough to say if he demonstrates that they interoperate as well.   
> Spending 5 seconds looking at it, the SSPI appears to make a  
> distinction between message and stream encryption that the GSSAPI  
> does not make, so there is at least some profiling needed to identify  
> what's common.  I suspect that interoperability was intended.  If we  
> find bugs and tell the right people Microsoft might even fix them  
> someday.

Ok. Well, that's for later.


> As to the question of GSSAPI vs SSL, I would never argue we don't  
> want both.
> 
> Part of what made the GSSAPI encryption mods difficult was my intent  
> to insert them "above" the SSL encryption/buffering layer.  That way  
> you could double-encrypt the channel.  Since GSSAPI and SSL are  
> (probably, not necessarily) referenced to completely different ID  
> infrastructure there are scenarios where that's beneficial.

We might want to consider restructuring how SSL works when we do, that
might make it easier. The way it is now with #ifdefs all around can lead to
a horrible mess if there are too many different things to choose from.
Something like "transport filters" or whatever might be a way to do it. I
recall having looked at that at some point, but it was too long ago to
remember any details..

//Magnus


---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Reply via email to