Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Jacob Champion <pchampion(at)vmware(dot)com>
Cc: "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2021-02-22 13:31:13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 18 Feb 2021, at 21:33, Jacob Champion <pchampion(at)vmware(dot)com> wrote:
> On Wed, 2021-02-17 at 22:35 +0100, Daniel Gustafsson wrote:
>> Attached is a rebase on top of this and the recent cryptohash changes to pass
>> in buffer lengths to the _final function. On top of that, I fixed up and
>> expanded the documentation, improved SCRAM handling (by using NSS digest
>> operations which are better suited) and reworded and expanded comments. This
>> patch version is, I think, feature complete with the OpenSSL implementation.
> fe-secure-nss.c is no longer compiling as of this patchset; looks
> like pgtls_open_client() has a truncated statement.

Ouch, I had a local mismerge that snuck in as I moved the branch around for
submission here. The attached fixes that as well as implements the sslcrldir
support that was committed recently. The crldir parameter isn't applicable to
NSS per se since all CRL's are loaded into the NSS database, but it does need
to be supported for the tests.

The crldir commit also made similar changes to the test harness as I had done
to support the NSS database, which made these incompatible. To fix that I've
implemented named parameters in switch_server_cert to make it less magic with
multiple optional parameters.

Daniel Gustafsson

Attachment Content-Type Size
v28-0009-nss-Build-infrastructure.patch application/octet-stream 20.5 KB
v28-0008-nss-Support-NSS-in-cryptohash.patch application/octet-stream 6.1 KB
v28-0007-nss-Support-NSS-in-sslinfo.patch application/octet-stream 3.6 KB
v28-0006-nss-Support-NSS-in-pgcrypto.patch application/octet-stream 24.6 KB
v28-0005-nss-Documentation.patch application/octet-stream 33.8 KB
v28-0004-nss-pg_strong_random-support.patch application/octet-stream 1.9 KB
v28-0003-nss-Add-NSS-specific-tests.patch application/octet-stream 52.3 KB
v28-0002-Refactor-SSL-testharness-for-multiple-library.patch application/octet-stream 11.5 KB
v28-0001-nss-Support-libnss-as-TLS-library-in-libpq.patch application/octet-stream 92.0 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2021-02-22 13:31:57 Re: Parallel INSERT (INTO ... SELECT ...)
Previous Message Greg Nancarrow 2021-02-22 12:40:20 Re: Parallel INSERT (INTO ... SELECT ...)