Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com>
Cc: Kevin Burke <kevin(at)burke(dot)dev>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "rachelmheaton(at)gmail(dot)com" <rachelmheaton(at)gmail(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2021-11-10 13:49:19
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 9 Nov 2021, at 22:22, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> On Tue, Nov 9, 2021 at 2:02 PM Joshua Brindle
> <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
>> On Tue, Nov 9, 2021 at 1:59 PM Joshua Brindle
>> <joshua(dot)brindle(at)crunchydata(dot)com> wrote:

>>> Hello, I'm looking to help out with reviews for this CF and I'm
>>> currently looking at this patchset.

Thanks, much appreciated!

>>> currently I'm stuck trying to configure:
>>> checking for nss-config... /usr/bin/nss-config
>>> checking for nspr-config... /usr/bin/nspr-config
>>> ...
>>> checking nss/ssl.h usability... no
>>> checking nss/ssl.h presence... no
>>> checking for nss/ssl.h... no
>>> configure: error: header file <nss/ssl.h> is required for NSS
>>> This is on fedora 33 and nss-devel is installed, nss-config is
>>> available (and configure finds it) but the directory is different from
>>> Ubuntu:
>>> (base) [vagrant(at)fedora ~]$ nss-config --includedir
>>> /usr/include/nss3
>>> (base) [vagrant(at)fedora ~]$ ls -al /usr/include/nss3/ssl.h
>>> -rw-r--r--. 1 root root 70450 Sep 30 05:41 /usr/include/nss3/ssl.h
>>> So if nss-config --includedir is used then #include <ssl.h> should be
>>> used, or if not then #include <nss3/ssl.h> but on this system #include
>>> <nss/ssl.h> is not going to work.

Interesting rename, I doubt any version but NSS 3 and NSPR 4 is alive anywhere
and an incremented major version seems highly unlikely. Going back to plain
#include <ssl.h> and have the includeflags sort out the correct directories
seems like the best option then. Fixed in the attached.

>> FYI, if I make a symlink to get past this, configure completes but
>> compilation fails because nspr/nspr.h cannot be found (I'm not sure
>> why configure doesn't discover this)
>> ../../src/include/common/nss.h:31:10: fatal error: 'nspr/nspr.h' file not found
>> #include <nspr/nspr.h>In file included from protocol_nss.c:24:
>> ../../src/include/common/nss.h:31:10: fatal error: 'nspr/nspr.h' file not found
>> #include <nspr/nspr.h>
>> ^~~~~~~~~~~~~
>> It's a similar issue:
>> $ nspr-config --includedir
>> /usr/include/nspr4


> If these get resolved the next issue is llvm bitcode doesn't compile
> because the nss includedir is missing from CPPFLAGS:
> /usr/bin/clang -Wno-ignored-attributes -fno-strict-aliasing -fwrapv
> -O2 -I../../../src/include -D_GNU_SOURCE -I/usr/include/libxml2
> -I/usr/include -flto=thin -emit-llvm -c -o be-secure-nss.bc
> be-secure-nss.c
> In file included from be-secure-nss.c:20:
> In file included from ../../../src/include/common/nss.h:38:
> In file included from /usr/include/nss/nss.h:34:
> /usr/include/nss/seccomon.h:17:10: fatal error: 'prtypes.h' file not found
> #include "prtypes.h"
> ^~~~~~~~~~~
> 1 error generated.


The attached also resolves the conflicts in pgcrypto following db7d1a7b05. PGP
elgamel and RSA pubkey functions aren't supported for now as there is no bignum
functions similar to the BN_* in OpenSSL. I will look into more how hard it
would be to support, for now this gets us ahead.

Daniel Gustafsson

Attachment Content-Type Size
v48-0010-nss-Build-infrastructure.patch application/octet-stream 24.4 KB
v48-0009-nss-Support-NSS-in-cryptohash.patch application/octet-stream 6.1 KB
v48-0008-nss-Support-NSS-in-sslinfo.patch application/octet-stream 3.6 KB
v48-0007-nss-Support-NSS-in-pgcrypto.patch application/octet-stream 79.8 KB
v48-0006-nss-Documentation.patch application/octet-stream 35.6 KB
v48-0005-nss-pg_strong_random-support.patch application/octet-stream 2.0 KB
v48-0004-test-check-for-empty-stderr-during-connect_ok.patch application/octet-stream 3.7 KB
v48-0003-nss-Add-NSS-specific-tests.patch application/octet-stream 59.0 KB
v48-0002-Refactor-SSL-testharness-for-multiple-library.patch application/octet-stream 11.6 KB
v48-0001-nss-Support-libnss-as-TLS-library-in-libpq.patch application/octet-stream 103.0 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Daniel Gustafsson 2021-11-10 13:56:00 Re: fix warnings in 9.6, 10, 11's contrib when compiling without openssl
Previous Message Michael Paquier 2021-11-10 13:44:49 Re: Add jsonlog log_destination for JSON server logs