Quick Links

Re: Support for NSS as a libpq TLS backend

From:	Daniel Gustafsson <daniel(at)yesql(dot)se>
To:	Jacob Champion <pchampion(at)vmware(dot)com>
Cc:	"sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>
Subject:	Re: Support for NSS as a libpq TLS backend
Date:	2021-05-27 20:31:07
Message-ID:	2FD5BB88-595A-47A0-8F51-0A1B5EEC93FA@yesql.se
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

> On 25 Mar 2021, at 00:56, Jacob Champion <pchampion(at)vmware(dot)com> wrote:

> Databases that are opened *after* the first one are given their own separate slots. Any certificates that are part of those databases seemingly can't be referenced directly by nickname. They have to be prefixed by their token name -- a name which you don't have if you used NSS_InitContext() to create the database. You have to use SECMOD_OpenUserDB() instead. This explains some strange failures I was seeing in local testing, where the order of InitContext determined whether our client certificate selection succeeded or failed.

Sorry for the latency is responding, but I'm now back from parental leave.

AFAICT the tokenname for the database can be set with the dbTokenDescription
member in the NSSInitParameters struct passed to NSS_InitContext() (documented
in nss.h). Using this we can avoid the messier SECMOD machinery and use the
token in the auth callback to refer to the database we loaded. I hacked this
up in my local tree (rebased patchset coming soon) and it seems to work as
intended.

--
Daniel Gustafsson https://vmware.com/

In response to

Re: Support for NSS as a libpq TLS backend at 2021-03-24 23:56:24 from Jacob Champion

Responses

Re: Support for NSS as a libpq TLS backend at 2021-05-28 09:04:12 from Daniel Gustafsson

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Stephen Frost	2021-05-27 20:36:23	Re: storing an explicit nonce
Previous Message	Tom Lane	2021-05-27 20:29:44	Re: Move pg_attribute.attcompression to earlier in struct for reduced size?