Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Jacob Champion <pchampion(at)vmware(dot)com>
Cc: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2020-11-17 15:00:53
Message-ID: 94E22878-6289-43D5-A674-804F6CB23782@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 16 Nov 2020, at 21:00, Jacob Champion <pchampion(at)vmware(dot)com> wrote:
> On Nov 13, 2020, at 4:14 AM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:

>> I've incorporated this patch as well as the previous patch for the assertion
>> failure on private callback data into the attached v19 patchset. I also did a
>> spellcheck and pgindent run on it for ease of review.
>
> Commit 6be725e70 got rid of some psql error messaging that the tests
> were keying off of, so there are a few new failures after a rebase onto
> latest master.
>
> I've attached a patch that gets the SCRAM tests a little further
> (certificate hashing was caught in an infinite loop). I also added error
> checks to those loops, along the lines of the existing OpenSSL
> implementation: if a suitable digest can't be found, the user will see
> an error like
>
> psql: error: could not find digest for OID 'PKCS #1 SHA-256 With RSA Encryption'
>
> It's a little verbose but I don't think this case should come up in
> normal practice.

Nice, thanks for the fix! I've incorporated your patch into the attached v20
which also fixes client side error reporting to be more readable. The SCRAM
tests are now also hooked up, albeit with SKIP blocks for NSS, so they can
start getting fixed.

cheers ./daniel

Attachment Content-Type Size
v20-0001-NSS-Frontend-Backend-and-build-infrastructure.patch application/octet-stream 109.1 KB
v20-0002-NSS-Testharness-updates.patch application/octet-stream 53.5 KB
v20-0003-NSS-pg_strong_random-support.patch application/octet-stream 4.4 KB
v20-0004-NSS-Documentation.patch application/octet-stream 14.2 KB
v20-0005-NSS-contrib-modules.patch application/octet-stream 29.9 KB

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Victor Yegorov 2020-11-17 15:05:08 Re: Deleting older versions in unique indexes to avoid page splits
Previous Message Pavel Stehule 2020-11-17 14:31:31 Re: Is it useful to record whether plans are generic or custom?