| From: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2020-08-03 19:18:47 |
| Message-ID: | e3ad96e8-7d2d-6c3d-39c9-fc1fa47a30f0@2ndQuadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 8/3/20 12:46 PM, Andrew Dunstan wrote:
> On 7/31/20 4:44 PM, Andrew Dunstan wrote:
>> On 7/15/20 6:18 PM, Daniel Gustafsson wrote:
>>>> On 15 Jul 2020, at 20:35, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> wrote:
>>>>
>>>> On 5/15/20 4:46 PM, Daniel Gustafsson wrote:
>>>>> My plan is to keep hacking at this to have it reviewable for the 14 cycle, so
>>>>> if anyone has an interest in NSS, then I would love to hear feedback on how it
>>>>> works (and doesn't work).
>>>> I'll be happy to help, particularly with Windows support and with some
>>>> of the callback stuff I've had a hand in.
>>> That would be fantastic, thanks! The password callback handling is still a
>>> TODO so feel free to take a stab at that since you have a lot of context on
>>> there.
>>>
>>> For Windows, I've include USE_NSS in Solution.pm as Thomas pointed out in this
>>> thread, but that was done blind as I've done no testing on Windows yet.
>>>
>> OK, here is an update of your patch that compiles and runs against NSS
>> under Windows (VS2019).
>>
>>
>> In addition to some work that was missing in src/tools/msvc, I had to
>> make a few adjustments, including:
>>
>>
>> * strtok_r() isn't available on Windows. We don't use it elsewhere in
>> the postgres code, and it seemed unnecessary to have reentrant calls
>> here, so I just replaced it with equivalent strtok() calls.
>> * We were missing an NSS implementation of
>> pgtls_verify_peer_name_matches_certificate_guts(). I supplied a
>> dummy that's enough to get it building cleanly, but that needs to be
>> filled in properly.
>>
>>
>> There is still plenty of work to go, but this seemed a sufficient
>> milestone to report progress on.
>>
>>
>
> OK, this version contains pre-generated nss files, and passes a full
> buildfarm run including the ssl test module, with both openssl and NSS.
> That should keep the cfbot happy :-)
>
>
rebased on current master.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-WIP-Support-libnss-for-as-TLS-backend-v8.patch | text/x-patch | 395.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Wolfgang Walther | 2020-08-03 19:25:18 | Re: extension patch of CREATE OR REPLACE TRIGGER |
| Previous Message | Daniel Verite | 2020-08-03 18:56:06 | EDB builds Postgres 13 with an obsolete ICU version |