|From:||Daniel Gustafsson <daniel(at)yesql(dot)se>|
|To:||Jacob Champion <pchampion(at)vmware(dot)com>|
|Cc:||Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>|
|Subject:||Re: Support for NSS as a libpq TLS backend|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
> On 6 Nov 2020, at 21:37, Jacob Champion <pchampion(at)vmware(dot)com> wrote:
> Some initial notes from building and testing on macOS Mojave. I'm working with
> both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a
> hand-built NSS/NSPR (which does not).
Thanks for looking!
> 1. In configure.ac:
>> + LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS"
>> + CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS"
>> + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, , [AC_MSG_ERROR([library 'nss3' is required for NSS])])
> Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails
> with the hand-built stack, where there is no nss-config to populate LDFLAGS. I
> changed the function to NSS_InitContext and that seems to work nicely.
Ah yes, fixed.
> 2. Among the things to eventually think about when it comes to configuring, it
> looks like some platforms  install the headers under <nspr4/...> and
> <nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS
> maintainers never chose an official installation layout.
Yeah, maybe we need to start with the most common path and have fallbacks in
case not found?
> 3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both
> before the tree will compile for me. Both of those files include NSS headers.
Odd that I was able to compile on Linux, but I've added these.
> 4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR
> assertion that looks like
> sslMutex_Init not implemented for multi-process applications !
> With assertions disabled, this ends up showing a somewhat unhelpful
> FATAL: unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE)
> It looks like cross-process locking isn't actually enabled on macOS, which is a
> long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache()
> error out.
Thats unfortunate since the session cache is required for a server application
backed by NSS. The attached switches to SSL_ConfigServerSessionIDCacheWithOpt
with which one can explicitly make the cache non-shared, which in turn backs
the mutexes with NSPR locks rather than the missing sem_init. Can you test
this version and see if that makes it work?
This version also contains a channel binding bug that Heikki pointed out off-
list (sadly not The bug) and a few very minor cleanups as well as a rebase to
handle the new pg_strong_random_init. Actually performing the context init
there is yet a TODO, but I wanted a version out that at all compiled.
|Next Message||Alvaro Herrera||2020-11-06 23:40:05||Re: list_free() in index_get_partition()|
|Previous Message||Wang, Shenhao||2020-11-06 22:56:11||errors when there is a bit literal in ecpg|