| From: | Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Kevin Burke <kevin(at)burke(dot)dev>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "rachelmheaton(at)gmail(dot)com" <rachelmheaton(at)gmail(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2021-12-20 17:27:11 |
| Message-ID: | CAGB+Vh4tNp0QSkgo=60b-D=-A7TbPM8SS3nYH84LXzQSNm9gqw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 15, 2021 at 5:05 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
> > On 25 Nov 2021, at 14:39, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> > On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle
> > <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> >>
> >> On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle
> >> <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
>
> >> I don't know enough about NSS to know if this is problematic or not
> >> but if I try verify-full without having the root CA in the certificate
> >> store I get:
> >>
> >> $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres"
> >> psql: error: SSL error: Issuer certificate is invalid.
> >> unable to shut down NSS context: NSS could not shutdown. Objects are
> >> still in use.
>
> Fixed.
>
> > Something is strange with ssl downgrading and a bad ssldatabase
> > [postgres(at)11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops
> > sslcert=client_cert host=localhost"
> > Password for user postgres:
> >
> > <freezes here>
>
> Also fixed.
>
> > On the server side:
> > 2021-11-25 01:52:01.984 UTC [269] LOG: unable to handshake:
> > Encountered end of file (PR_END_OF_FILE_ERROR)
>
> This is normal and expected, but to make it easier on users I've changed this
> error message to be aligned with the OpenSSL implementation.
>
> > Other than that and I still haven't tested --with-llvm I've gotten
> > everything working, including with an openssl client. Attached is a
> > dockerfile that gets to the point where a client can connect with
> > clientcert=verify-full. I've removed some of the old cruft and
> > debugging from the previous versions.
>
> Very cool, thanks! I've been unable to reproduce any issues with llvm but I'll
> keep poking at that. A new version will be posted shortly with the above and a
> few more fixes.
For v50 this change was required for an llvm build to succeed on my
Fedora system:
diff --git a/configure b/configure
index 25388a75a2..62d554806a 100755
--- a/configure
+++ b/configure
@@ -13276,6 +13276,7 @@ fi
LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS"
CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $NSS_CFLAGS $NSPR_CFLAGS"
$as_echo "#define USE_NSS 1" >>confdefs.h
I'm not certain why configure didn't already have that, configure.ac
appears to, but nonetheless it builds, all tests succeed, and a quick
tire kicking looks good.
Thank you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2021-12-20 17:39:22 | Re: Unifying VACUUM VERBOSE and log_autovacuum_min_duration output |
| Previous Message | Alvaro Herrera | 2021-12-20 17:14:01 | Re: PublicationActions - use bit flags. |