Re: Support for NSS as a libpq TLS backend

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>, Postgres hackers <pgsql-hackers@lists.postgresql.org>, Stephen Frost <sfrost@snowman.net>, Thomas Munro <thomas.munro@gmail.com>
Date: 2020-10-02T20:01:37Z
Lists: pgsql-hackers

Attachments

> On 29 Sep 2020, at 09:52, Daniel Gustafsson <daniel@yesql.se> wrote:
> 
>> On 29 Sep 2020, at 07:59, Michael Paquier <michael@paquier.xyz> wrote:
>> 
>> On Thu, Sep 17, 2020 at 11:41:28AM +0200, Daniel Gustafsson wrote:
>>> Attached is a v10 rebased to apply on top of HEAD.
>> 
>> I am afraid that this needs a new rebase.  The patch is failing to
>> apply, per the CF bot. :/
> 
> It's failing on binary diffs due to the NSS certificate databases being
> included to make hacking on the patch easier:
> 
>  File src/test/ssl/ssl/nss/server.crl: git binary diffs are not supported.
> 
> This is a limitation of the CFBot patch tester, the text portions of the patch
> still applies with a tiny but of fuzz.

Attached is a new version which doesn't contain the NSS certificate databases
to keep the CFBot happy.

It also implements server-side passphrase callbacks as well as re-enables the
tests for those.  The callback works a bit differently from the OpenSSL one as
it must run in the forked process, so it can't run on server reload.  There's
also no default fallback reading from a TTY like in OpenSSL, so if no callback
it set the always-failing dummy is set.

cheers ./daniel

Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics