Quick Links

Re: Support for NSS as a libpq TLS backend

From:	Daniel Gustafsson <daniel(at)yesql(dot)se>
To:	Jacob Champion <pchampion(at)vmware(dot)com>
Cc:	"pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>
Subject:	Re: Support for NSS as a libpq TLS backend
Date:	2021-07-26 13:26:16
Message-ID:	A89F3823-40BD-4469-AFA8-819C20C0B24D@yesql.se
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

> On 19 Jul 2021, at 21:33, Jacob Champion <pchampion(at)vmware(dot)com> wrote:

> ..client connections will crash if
> hostaddr is provided rather than host, because SSL_SetURL can't handle
> a NULL argument. I'm running with 0002 to fix it for the moment, but
> I'm not sure yet if it does the right thing for IP addresses, which the
> OpenSSL side has a special case for.

AFAICT the idea is to handle it in the cert auth callback, so I've added some
PoC code to check for sslsni there and updated the TODO comment to reflect
that.

I've applied your patches in the attached rebase which passes all tests for me.

--
Daniel Gustafsson https://vmware.com/

Attachment	Content-Type	Size
v39-0010-nss-Build-infrastructure.patch	application/octet-stream	21.4 KB
v39-0009-nss-Support-NSS-in-cryptohash.patch	application/octet-stream	6.1 KB
v39-0008-nss-Support-NSS-in-sslinfo.patch	application/octet-stream	3.6 KB
v39-0007-nss-Support-NSS-in-pgcrypto.patch	application/octet-stream	24.9 KB
v39-0006-nss-Documentation.patch	application/octet-stream	35.3 KB
v39-0005-nss-pg_strong_random-support.patch	application/octet-stream	2.0 KB
v39-0004-test-check-for-empty-stderr-during-connect_ok.patch	application/octet-stream	3.6 KB
v39-0003-nss-Add-NSS-specific-tests.patch	application/octet-stream	57.9 KB
v39-0002-Refactor-SSL-testharness-for-multiple-library.patch	application/octet-stream	11.5 KB
v39-0001-nss-Support-libnss-as-TLS-library-in-libpq.patch	application/octet-stream	102.5 KB

In response to

Re: Support for NSS as a libpq TLS backend at 2021-07-19 19:33:23 from Jacob Champion

Responses

Re: Support for NSS as a libpq TLS backend at 2021-08-10 17:22:20 from Daniel Gustafsson
Re: Support for NSS as a libpq TLS backend at 2021-09-21 00:06:15 from Jacob Champion

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Robert Haas	2021-07-26 13:31:04	Re: .ready and .done files considered harmful
Previous Message	John Naylor	2021-07-26 12:58:37	Re: speed up verifying UTF-8