On May 1, 2007, at 3:11 PM, Magnus Hagander wrote:
>>>> Also, last I checked OpenSSL didn't ship with Windows and Kerberos
>>>> encryption did.
>>> How long ago did you check? I've been using OpenSSL on windows
>>> for many
>>> years. Actually, it was supported just fine on Windows back when
>>> it was
>>> added to PostgreSQL *at least*.
>>
>> I didn't say *available for download*, I said *ship with*. That
>> is, does a
>> Windows Vista Pro box from the factory come with OpenSSL on it?
>> It does
>> come with Microsoft SSPI, although I don't know compatibility issues.
>
> No, of course not. Microsoft OSes don't ship with *any* third party
> software. So yeah, didn't get what you meant, and you do have a point
> there. Provided the SSPI stuff actually does gssapi encryption - but
> I'll trust the people who say it does. I've only ever used the
> authentication parts myself.
The SSPI has encryption and integrity functions, just like the
GSSAPI. I don't remember Jeffrey Altman's interop example code well
enough to say if he demonstrates that they interoperate as well.
Spending 5 seconds looking at it, the SSPI appears to make a
distinction between message and stream encryption that the GSSAPI
does not make, so there is at least some profiling needed to identify
what's common. I suspect that interoperability was intended. If we
find bugs and tell the right people Microsoft might even fix them
someday.
As to the question of GSSAPI vs SSL, I would never argue we don't
want both.
Part of what made the GSSAPI encryption mods difficult was my intent
to insert them "above" the SSL encryption/buffering layer. That way
you could double-encrypt the channel. Since GSSAPI and SSL are
(probably, not necessarily) referenced to completely different ID
infrastructure there are scenarios where that's beneficial.
(The other thing that made it hard is that I needed to make changes
in different places in the FE and the BE versions of libpq in order
to get the same effect.)
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu