Re: unclear wording re: spoofing prevention on network connections
| От | Stephen Frost |
|---|---|
| Тема | Re: unclear wording re: spoofing prevention on network connections |
| Дата | |
| Msg-id | CAOuzzgpKGS5HtT5e=5DsKuUmm0Q2MQkp_n0vWBk0y74g6qzdTg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: unclear wording re: spoofing prevention on network connections (Bruce Momjian <bruce@momjian.us>) |
| Ответы |
Re: unclear wording re: spoofing prevention on network connections
|
| Список | pgsql-docs |
Greetings,
On Sat, Dec 9, 2023 at 17:29 Bruce Momjian <bruce@momjian.us> wrote:
On Fri, Dec 8, 2023 at 05:42:27PM +0000, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/16/preventing-server-spoofing.html
> Description:
>
> When I read:
> To prevent spoofing on TCP connections, either use SSL certificates and make
> sure that clients check the server's certificate, or use GSSAPI encryption
> (or both, if they're on separate connections).
>
> It takes some thought to figure out what "separate connections" are being
> referred to. Does it mean separate TLS connection and
> non-tls-with-gssapi-encryption?
Short answer here is “yes, you understand correctly.”
I have no idea. It was added in this commit:
…
Agreed that the wording isn’t great.
The idea is that you can use both TLS and GSSAPI-with-encryption at the same time within a given cluster for connections but you wouldn’t use them on the same connection. Certainly would welcome suggestions as to the best way to phrase that.
Thanks,
Stephen
В списке pgsql-docs по дате отправления: