Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Jacob Champion <pchampion(at)vmware(dot)com>
Cc: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2020-11-06 23:11:15
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 6 Nov 2020, at 21:37, Jacob Champion <pchampion(at)vmware(dot)com> wrote:

> Some initial notes from building and testing on macOS Mojave. I'm working with
> both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a
> hand-built NSS/NSPR (which does not).

Thanks for looking!

> 1. In
>> +
>> + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])])
> Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails
> with the hand-built stack, where there is no nss-config to populate LDFLAGS. I
> changed the function to NSS_InitContext and that seems to work nicely.

Ah yes, fixed.

> 2. Among the things to eventually think about when it comes to configuring, it
> looks like some platforms [1] install the headers under <nspr4/...> and
> <nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS
> maintainers never chose an official installation layout.

Yeah, maybe we need to start with the most common path and have fallbacks in
case not found?

> 3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both
> src/include/common/pg_nss.h
> src/port/pg_strong_random.c
> before the tree will compile for me. Both of those files include NSS headers.

Odd that I was able to compile on Linux, but I've added these.

> 4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR
> assertion that looks like
> sslMutex_Init not implemented for multi-process applications !
> With assertions disabled, this ends up showing a somewhat unhelpful
> FATAL: unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE)
> It looks like cross-process locking isn't actually enabled on macOS, which is a
> long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache()
> error out.

Thats unfortunate since the session cache is required for a server application
backed by NSS. The attached switches to SSL_ConfigServerSessionIDCacheWithOpt
with which one can explicitly make the cache non-shared, which in turn backs
the mutexes with NSPR locks rather than the missing sem_init. Can you test
this version and see if that makes it work?

This version also contains a channel binding bug that Heikki pointed out off-
list (sadly not The bug) and a few very minor cleanups as well as a rebase to
handle the new pg_strong_random_init. Actually performing the context init
there is yet a TODO, but I wanted a version out that at all compiled.

cheers ./daniel

Attachment Content-Type Size
v18-0001-NSS-Frontend-Backend-and-build-infrastructure.patch application/octet-stream 108.1 KB
v18-0002-NSS-Testharness-updates.patch application/octet-stream 49.5 KB
v18-0003-NSS-pg_strong_random-support.patch application/octet-stream 4.4 KB
v18-0004-NSS-Documentation.patch application/octet-stream 14.2 KB
v18-0005-NSS-contrib-modules.patch application/octet-stream 29.9 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2020-11-06 23:40:05 Re: list_free() in index_get_partition()
Previous Message Wang, Shenhao 2020-11-06 22:56:11 errors when there is a bit literal in ecpg