Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <pchampion@vmware.com>
Cc: "hlinnaka@iki.fi" <hlinnaka@iki.fi>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>,
"andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>,
"sfrost@snowman.net" <sfrost@snowman.net>,
"thomas.munro@gmail.com" <thomas.munro@gmail.com>,
"michael@paquier.xyz" <michael@paquier.xyz>,
"andres@anarazel.de" <andres@anarazel.de>
Date: 2021-02-24T12:23:32Z
Lists: pgsql-hackers
Attachments
- v29-0009-nss-Build-infrastructure.patch (application/octet-stream) patch v29-0009
- v29-0008-nss-Support-NSS-in-cryptohash.patch (application/octet-stream) patch v29-0008
- v29-0007-nss-Support-NSS-in-sslinfo.patch (application/octet-stream) patch v29-0007
- v29-0006-nss-Support-NSS-in-pgcrypto.patch (application/octet-stream) patch v29-0006
- v29-0005-nss-Documentation.patch (application/octet-stream) patch v29-0005
- v29-0004-nss-pg_strong_random-support.patch (application/octet-stream) patch v29-0004
- v29-0003-nss-Add-NSS-specific-tests.patch (application/octet-stream) patch v29-0003
- v29-0002-Refactor-SSL-testharness-for-multiple-library.patch (application/octet-stream) patch v29-0002
- v29-0001-nss-Support-libnss-as-TLS-library-in-libpq.patch (application/octet-stream) patch v29-0001
> On 24 Feb 2021, at 01:11, Jacob Champion <pchampion@vmware.com> wrote:
>
> On Mon, 2021-02-22 at 14:31 +0100, Daniel Gustafsson wrote:
>> The attached fixes that as well as implements the sslcrldir
>> support that was committed recently. The crldir parameter isn't applicable to
>> NSS per se since all CRL's are loaded into the NSS database, but it does need
>> to be supported for the tests.
>>
>> The crldir commit also made similar changes to the test harness as I had done
>> to support the NSS database, which made these incompatible. To fix that I've
>> implemented named parameters in switch_server_cert to make it less magic with
>> multiple optional parameters.
>
> The named parameters are a big improvement!
>
> Couple things I've noticed with this patch, back on the OpenSSL side.
> In SSL::Backend::OpenSSL's set_server_conf() implementation:
>
>> + my $sslconf =
>> + "ssl_ca_file='$params->{cafile}.crt'\n"
>> + . "ssl_cert_file='$params->{certfile}.crt'\n"
>> + . "ssl_key_file='$params->{keyfile}.key'\n"
>> + . "ssl_crl_file='$params->{crlfile}'\n";
>> + $sslconf .= "ssl_crl_dir='$params->{crldir}'\n" if defined $params->{crldir};
>> }
>
> this is missing a `return $sslconf` at the end.
Yeah, I was clearly undercaffeinated and forgot to re-run the tests on OpenSSL
after some hackery. Fixed.
> In 001_ssltests.pl:
>
>> -set_server_cert($node, 'server-cn-only', 'root+client_ca',
>> - 'server-password', 'echo wrongpassword');
>> -command_fails(
>> - [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
>> - 'restart fails with password-protected key file with wrong password');
>> -$node->_update_pid(0);
>> +# Since the passphrase callbacks operate at different stages in OpenSSL and
>> +# NSS we have two separate blocks for them
>> +SKIP:
>> +{
>> + skip "Certificate passphrases aren't checked on server restart in NSS", 2
>> + if ($nss);
>> +
>> + switch_server_cert($node,
>> + certfile => 'server-cn-only',
>> + cafile => 'root+client_ca',
>> + keyfile => 'server-password',
>> + nssdatabase => 'server-cn-only.crt__server-password.key.db',
>> + passphrase_cmd => 'echo wrongpassword');
>> +
>> + command_fails(
>> + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
>> + 'restart fails with password-protected key file with wrong password');
>> + $node->_update_pid(0);
>
> The removal of set_server_cert() in favor of switch_server_cert()
> breaks these tests in OpenSSL, because the restart that
> switch_server_cert performs will fail as designed. (The new comment
> above switch_server_cert() suggests maybe you had a switch in mind to
> skip the restart?)
I initially had a restart => 'yes' parameter which turned too repetetive since
nearly all calls wants a restart. When I switched it to an opt-out I missed to
update the tests. Fixed.
> NSS is not affected because we expect the restart to succeed:
>
>> + command_ok(
>> + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
>> + 'restart fails with password-protected key file with wrong password');
>
> but I'd argue that that NSS test and the one after it should probably
> be removed. We already know restart succeeded; otherwise
> switch_server_cert() would have failed. (The test descriptions also
> have the old "restart fails" verbiage.)
Agreed, removed.
--
Daniel Gustafsson https://vmware.com/
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited