Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>
Cc: Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2020-09-01 12:43:58
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 5 Aug 2020, at 22:38, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> wrote:
> On 8/4/20 5:42 PM, Daniel Gustafsson wrote:
>>> On 3 Aug 2020, at 21:18, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> wrote:
>>> On 8/3/20 12:46 PM, Andrew Dunstan wrote:
>>>> On 7/31/20 4:44 PM, Andrew Dunstan wrote:
>>>>> OK, here is an update of your patch that compiles and runs against NSS
>>>>> under Windows (VS2019).
>> Out of curiosity since I'm not familiar with Windows, how hard/easy is it to
>> install NSS for the purpose of a) hacking on postgres+NSS and b) using postgres
>> with NSS as the backend?
> I've laid out the process at

That's fantastic, thanks for putting that together.

>>>> OK, this version contains pre-generated nss files, and passes a full
>>>> buildfarm run including the ssl test module, with both openssl and NSS.
>>>> That should keep the cfbot happy :-)

Turns out the CFBot doesn't like the binary diffs. They are included in this
version too but we should probably drop them again it seems.

>> Exciting, thanks a lot for helping out on this! I've started to look at the
>> required documentation changes during vacation, will hopefully be able to post
>> something soon.
> Good. Having got the tests running cleanly on Linux, I'm now going back
> to work on that for Windows.
> After that I'll look at the hook/callback stuff.

The attached v9 contains mostly a first stab at getting some documentation
going, it's far from completed but I'd rather share more frequently to not have
local trees deviate too much in case you've had time to hack as well. I had a
few documentation tweaks in the code too, but no real functionality change for

The 0001 patch isn't strictly necessary but it seems reasonable to address the
various ways OpenSSL was spelled out in the docs while at updating the SSL
portions. It essentially ensures that markup around OpenSSL and SSL is used
consistently. I didn't address the linelengths being too long in this patch to
make review easier instead.

cheers ./daniel

Attachment Content-Type Size
0001-docs-consistent-markup-for-OpenSSL-and-SSL-v9.patch application/octet-stream 9.7 KB
0002-Support-for-NSS-as-a-TLS-backend-v9.patch application/octet-stream 397.5 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message 2020-09-01 13:02:28 RE: [Patch] Optimize dropping of relation buffers using dlist
Previous Message Georgios Kokolatos 2020-09-01 12:35:19 Re: v13: show extended stats target in \d