Re: Support for NSS as a libpq TLS backend

> On 25 Nov 2021, at 14:39, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle
> <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
>>
>> On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle
>> <joshua(dot)brindle(at)crunchydata(dot)com> wrote:

>> I don't know enough about NSS to know if this is problematic or not
>> but if I try verify-full without having the root CA in the certificate
>> store I get:
>>
>> $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres"
>> psql: error: SSL error: Issuer certificate is invalid.
>> unable to shut down NSS context: NSS could not shutdown. Objects are
>> still in use.

Fixed.

> Something is strange with ssl downgrading and a bad ssldatabase
> [postgres(at)11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops
> sslcert=client_cert host=localhost"
> Password for user postgres:
>
> <freezes here>

Also fixed.

> On the server side:
> 2021-11-25 01:52:01.984 UTC [269] LOG: unable to handshake:
> Encountered end of file (PR_END_OF_FILE_ERROR)

This is normal and expected, but to make it easier on users I've changed this
error message to be aligned with the OpenSSL implementation.

> Other than that and I still haven't tested --with-llvm I've gotten
> everything working, including with an openssl client. Attached is a
> dockerfile that gets to the point where a client can connect with
> clientcert=verify-full. I've removed some of the old cruft and
> debugging from the previous versions.

Very cool, thanks! I've been unable to reproduce any issues with llvm but I'll
keep poking at that. A new version will be posted shortly with the above and a
few more fixes.

--
Daniel Gustafsson https://vmware.com/