Alvaro Herrera <alvhe...@2ndquadrant.com> writes: > How about this? > > * If GSSAPI is enabled and we can reach a credential cache, > * set up a handle for it; if it's operating, just send a > * GSS startup message, instead of the SSL negotiation and > * regular startup message below.
Due to the way postgres handled this historically, there are two ways GSSAPI can be used: for connection encryption, and for authentication only. We perform the same dance of sending a "request packet" for GSSAPI encryption as we do for TLS encryption. So I'd like us to be precise about which one we're talking about here (encryption). The GSSAPI idiom I should have used is "can acquire credentials" (i.e., instead of "can reach a credential cache" in your proposal). There's no such thing as a "GSS startup message". After negotiating GSSAPI/TLS encryption (or failing to do so), we send the same things in all cases, which includes negotiation of authentication mechanism if any. (Negotiating GSSAPI for authentication after negotiating GSSAPI for encryption will short-circuit rather than establishing a second context, if I remember right.) I wonder if part of the confusion might be due to the synonyms we're using here for "in use". Things seem to be "got running", "set up", "operating", "negotiated", ... - maybe that's part of the barrier to understanding? Thanks, --Robbie
signature.asc
Description: PGP signature