| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
| Cc: | josh(at)agliodbs(dot)com, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches |
| Date: | 2007-05-02 10:11:56 |
| Message-ID: | 20070502101156.GA10757@svr2.hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, May 01, 2007 at 04:26:13PM -0700, Henry B. Hotz wrote:
>
> On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:
>
> >>>>Also, last I checked OpenSSL didn't ship with Windows and Kerberos
> >>>>encryption did.
> >>>How long ago did you check? I've been using OpenSSL on windows
> >>>for many
> >>>years. Actually, it was supported just fine on Windows back when
> >>>it was
> >>>added to PostgreSQL *at least*.
> >>
> >>I didn't say *available for download*, I said *ship with*. That
> >>is, does a
> >>Windows Vista Pro box from the factory come with OpenSSL on it?
> >>It does
> >>come with Microsoft SSPI, although I don't know compatibility issues.
> >
> >No, of course not. Microsoft OSes don't ship with *any* third party
> >software. So yeah, didn't get what you meant, and you do have a point
> >there. Provided the SSPI stuff actually does gssapi encryption - but
> >I'll trust the people who say it does. I've only ever used the
> >authentication parts myself.
>
> The SSPI has encryption and integrity functions, just like the
> GSSAPI. I don't remember Jeffrey Altman's interop example code well
> enough to say if he demonstrates that they interoperate as well.
> Spending 5 seconds looking at it, the SSPI appears to make a
> distinction between message and stream encryption that the GSSAPI
> does not make, so there is at least some profiling needed to identify
> what's common. I suspect that interoperability was intended. If we
> find bugs and tell the right people Microsoft might even fix them
> someday.
Ok. Well, that's for later.
> As to the question of GSSAPI vs SSL, I would never argue we don't
> want both.
>
> Part of what made the GSSAPI encryption mods difficult was my intent
> to insert them "above" the SSL encryption/buffering layer. That way
> you could double-encrypt the channel. Since GSSAPI and SSL are
> (probably, not necessarily) referenced to completely different ID
> infrastructure there are scenarios where that's beneficial.
We might want to consider restructuring how SSL works when we do, that
might make it easier. The way it is now with #ifdefs all around can lead to
a horrible mess if there are too many different things to choose from.
Something like "transport filters" or whatever might be a way to do it. I
recall having looked at that at some point, but it was too long ago to
remember any details..
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-05-02 10:22:08 | Re: Patch queue triage |
| Previous Message | Zeugswetter Andreas ADI SD | 2007-05-02 09:42:09 | Re: Heap page diagnostic functions |