| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2020-11-06 20:37:48 |
| Message-ID: | 0E64F3CB-4731-4FA8-82D8-D8590086654C@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Nov 4, 2020, at 5:09 AM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> (sorry for slow response). You are absolutely right, the has_password flag
> must be tracked per connection in PGconn. The attached v17 implements this as
> well a frontend bugfix which caused dropped connections and some smaller fixups
> to make strings more translateable.
Some initial notes from building and testing on macOS Mojave. I'm working with
both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a
hand-built NSS/NSPR (which does not).
1. In configure.ac:
> + LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS"
> + CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS"
> +
> + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])])
Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails
with the hand-built stack, where there is no nss-config to populate LDFLAGS. I
changed the function to NSS_InitContext and that seems to work nicely.
2. Among the things to eventually think about when it comes to configuring, it
looks like some platforms [1] install the headers under <nspr4/...> and
<nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS
maintainers never chose an official installation layout.
3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both
src/include/common/pg_nss.h
src/port/pg_strong_random.c
before the tree will compile for me. Both of those files include NSS headers.
4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR
assertion that looks like
sslMutex_Init not implemented for multi-process applications !
With assertions disabled, this ends up showing a somewhat unhelpful
FATAL: unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE)
It looks like cross-process locking isn't actually enabled on macOS, which is a
long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache()
error out.
--Jacob
[1] https://github.com/erthink/ReOpenLDAP/issues/112
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=538680
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1192500
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ranier Vilela | 2020-11-06 20:54:13 | re: pgbench stopped supporting large number of client connections on Windows |
| Previous Message | Marina Polyakova | 2020-11-06 20:34:53 | pgbench stopped supporting large number of client connections on Windows |