On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:
Also, last I checked OpenSSL didn't ship with Windows and Kerberos
encryption did.
How long ago did you check? I've been using OpenSSL on windows
for many
years. Actually, it was supported just fine on Windows back when
it was
added to PostgreSQL *at least*.
I didn't say *available for download*, I said *ship with*. That
is, does a
Windows Vista Pro box from the factory come with OpenSSL on it?
It does
come with Microsoft SSPI, although I don't know compatibility issues.
No, of course not. Microsoft OSes don't ship with *any* third party
software. So yeah, didn't get what you meant, and you do have a point
there. Provided the SSPI stuff actually does gssapi encryption - but
I'll trust the people who say it does. I've only ever used the
authentication parts myself.
The SSPI has encryption and integrity functions, just like the
GSSAPI. I don't remember Jeffrey Altman's interop example code well
enough to say if he demonstrates that they interoperate as well.
Spending 5 seconds looking at it, the SSPI appears to make a
distinction between message and stream encryption that the GSSAPI
does not make, so there is at least some profiling needed to identify
what's common. I suspect that interoperability was intended. If we
find bugs and tell the right people Microsoft might even fix them
someday.
As to the question of GSSAPI vs SSL, I would never argue we don't
want both.
Part of what made the GSSAPI encryption mods difficult was my intent
to insert them "above" the SSL encryption/buffering layer. That way
you could double-encrypt the channel. Since GSSAPI and SSL are
(probably, not necessarily) referenced to completely different ID
infrastructure there are scenarios where that's beneficial.
(The other thing that made it hard is that I needed to make changes
in different places in the FE and the BE versions of libpq in order
to get the same effect.)
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
