On Tue, May 01, 2007 at 04:26:13PM -0700, Henry B. Hotz wrote:
>
> On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:
>
> >>>>Also, last I checked OpenSSL didn't ship with Windows and Kerberos
> >>>>encryption did.
> >>>How long ago did you check? I've been using OpenSSL on windows
> >>>for many
> >>>years. Actually, it was supported just fine on Windows back when
> >>>it was
> >>>added to PostgreSQL *at least*.
> >>
> >>I didn't say *available for download*, I said *ship with*. That
> >>is, does a
> >>Windows Vista Pro box from the factory come with OpenSSL on it?
> >>It does
> >>come with Microsoft SSPI, although I don't know compatibility issues.
> >
> >No, of course not. Microsoft OSes don't ship with *any* third party
> >software. So yeah, didn't get what you meant, and you do have a point
> >there. Provided the SSPI stuff actually does gssapi encryption - but
> >I'll trust the people who say it does. I've only ever used the
> >authentication parts myself.
>
> The SSPI has encryption and integrity functions, just like the
> GSSAPI. I don't remember Jeffrey Altman's interop example code well
> enough to say if he demonstrates that they interoperate as well.
> Spending 5 seconds looking at it, the SSPI appears to make a
> distinction between message and stream encryption that the GSSAPI
> does not make, so there is at least some profiling needed to identify
> what's common. I suspect that interoperability was intended. If we
> find bugs and tell the right people Microsoft might even fix them
> someday.
Ok. Well, that's for later.
> As to the question of GSSAPI vs SSL, I would never argue we don't
> want both.
>
> Part of what made the GSSAPI encryption mods difficult was my intent
> to insert them "above" the SSL encryption/buffering layer. That way
> you could double-encrypt the channel. Since GSSAPI and SSL are
> (probably, not necessarily) referenced to completely different ID
> infrastructure there are scenarios where that's beneficial.
We might want to consider restructuring how SSL works when we do, that
might make it easier. The way it is now with #ifdefs all around can lead to
a horrible mess if there are too many different things to choose from.
Something like "transport filters" or whatever might be a way to do it. I
recall having looked at that at some point, but it was too long ago to
remember any details..
//Magnus