Re: some PostgreSQL 12 release notes comments

Greetings,

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 2019-09-17 22:22, Tom Lane wrote:
> > Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
> >> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
> >> This allows TCP/IP connections to be encrypted when using GSSAPI
> >> authentication without having to set up a separate encryption facility
> >> like SSL.
> > Hmm, does that imply that you don't have to have compiled --with-openssl,
> > or just that you don't have to bother with setting up SSL certificates?
> > But you already don't have to do the latter. I'd be the first to admit
> > that I know nothing about GSSAPI, but this text still doesn't enlighten
> > me about why I should learn.
>
> It means, more or less, if you already have the client and the server do
> the GSS dance for authentication, you just have to turn on an additional
> flag and they'll also encrypt the communication while they're at it.
>
> This does not require SSL support.
>
> So if you already have a Kerberos infrastructure set up, you can get
> wire encryption for almost free without having to set up a parallel SSL
> CA infrastructure. Which is great for administration.

Right- and more-over, you *do* get mutual authentication between the
client and the server when using Kerberos. This is markedly better than
"TLS/SSL with snakeoil certs, just to get encryption"- it's just about
equivilant to a full PKI environment with client and server validation
and encryption, but without needing openssl or SSL of any kind.

Thanks,

Stephen