On 2019-09-17 22:22, Tom Lane wrote:
> Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
>> * Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
>> This allows TCP/IP connections to be encrypted when using GSSAPI
>> authentication without having to set up a separate encryption facility
>> like SSL.
> Hmm, does that imply that you don't have to have compiled --with-openssl,
> or just that you don't have to bother with setting up SSL certificates?
> But you already don't have to do the latter. I'd be the first to admit
> that I know nothing about GSSAPI, but this text still doesn't enlighten
> me about why I should learn.
It means, more or less, if you already have the client and the server do
the GSS dance for authentication, you just have to turn on an additional
flag and they'll also encrypt the communication while they're at it.
This does not require SSL support.
So if you already have a Kerberos infrastructure set up, you can get
wire encryption for almost free without having to set up a parallel SSL
CA infrastructure. Which is great for administration.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services