Re: [PATCH v20] GSSAPI encryption support

I don't know much about GSSAPI, but from what I can tell, this seems an
attractive feature, and the implementation is compact enough.  I have
done a bit of work on the internal SSL API refactoring, so I have some
thoughts on this patch.

Looking at the file structure, we would have

be-secure.c
be-secure-openssl.c
be-secure-[othersslimpl].c
be-secure-gssapi.c
be-secure-common.c

This implies a code structure that isn't really there.
be-secure-common.c is used by SSL implementations but not by the GSSAPI
implementation.

Perhaps we should rename be-secure-openssl.c to be-ssl-openssl.c and
be-secure-common.c to be-ssl-common.c.

Or maybe we avoid that, and you rename be-secure-gssapi.c to just
be-gssapi.c and also combine that with the contents of be-gssapi-common.c.

(Or maybe both.)

(And similarly in libpq.)

About pg_hba.conf: The "hostgss" keyword seems a bit confusing.  It only
applies to encrypted gss-using connections, not all of them.  Maybe
"hostgssenc" or "hostgsswrap"?

I don't see any tests in the patch.  We have a Kerberos test suite at
src/test/kerberos/ and an SSL test suite at src/test/ssl/.  You can get
some ideas there.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services