On Tue, May 01, 2007 at 04:26:13PM -0700, Henry B. Hotz wrote: > > On May 1, 2007, at 3:11 PM, Magnus Hagander wrote: > > >>>>Also, last I checked OpenSSL didn't ship with Windows and Kerberos > >>>>encryption did. > >>>How long ago did you check? I've been using OpenSSL on windows > >>>for many > >>>years. Actually, it was supported just fine on Windows back when > >>>it was > >>>added to PostgreSQL *at least*. > >> > >>I didn't say *available for download*, I said *ship with*. That > >>is, does a > >>Windows Vista Pro box from the factory come with OpenSSL on it? > >>It does > >>come with Microsoft SSPI, although I don't know compatibility issues. > > > >No, of course not. Microsoft OSes don't ship with *any* third party > >software. So yeah, didn't get what you meant, and you do have a point > >there. Provided the SSPI stuff actually does gssapi encryption - but > >I'll trust the people who say it does. I've only ever used the > >authentication parts myself. > > The SSPI has encryption and integrity functions, just like the > GSSAPI. I don't remember Jeffrey Altman's interop example code well > enough to say if he demonstrates that they interoperate as well. > Spending 5 seconds looking at it, the SSPI appears to make a > distinction between message and stream encryption that the GSSAPI > does not make, so there is at least some profiling needed to identify > what's common. I suspect that interoperability was intended. If we > find bugs and tell the right people Microsoft might even fix them > someday.
Ok. Well, that's for later. > As to the question of GSSAPI vs SSL, I would never argue we don't > want both. > > Part of what made the GSSAPI encryption mods difficult was my intent > to insert them "above" the SSL encryption/buffering layer. That way > you could double-encrypt the channel. Since GSSAPI and SSL are > (probably, not necessarily) referenced to completely different ID > infrastructure there are scenarios where that's beneficial. We might want to consider restructuring how SSL works when we do, that might make it easier. The way it is now with #ifdefs all around can lead to a horrible mess if there are too many different things to choose from. Something like "transport filters" or whatever might be a way to do it. I recall having looked at that at some point, but it was too long ago to remember any details.. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster
