Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Stephen Frost <sfrost@snowman.net>,
Thomas Munro <thomas.munro@gmail.com>
Date: 2020-10-02T20:01:37Z
Lists: pgsql-hackers
Attachments
- 0001-Support-for-NSS-as-a-TLS-backend-v11.patch (application/octet-stream) patch v11-0001
> On 29 Sep 2020, at 09:52, Daniel Gustafsson <daniel@yesql.se> wrote: > >> On 29 Sep 2020, at 07:59, Michael Paquier <michael@paquier.xyz> wrote: >> >> On Thu, Sep 17, 2020 at 11:41:28AM +0200, Daniel Gustafsson wrote: >>> Attached is a v10 rebased to apply on top of HEAD. >> >> I am afraid that this needs a new rebase. The patch is failing to >> apply, per the CF bot. :/ > > It's failing on binary diffs due to the NSS certificate databases being > included to make hacking on the patch easier: > > File src/test/ssl/ssl/nss/server.crl: git binary diffs are not supported. > > This is a limitation of the CFBot patch tester, the text portions of the patch > still applies with a tiny but of fuzz. Attached is a new version which doesn't contain the NSS certificate databases to keep the CFBot happy. It also implements server-side passphrase callbacks as well as re-enables the tests for those. The callback works a bit differently from the OpenSSL one as it must run in the forked process, so it can't run on server reload. There's also no default fallback reading from a TTY like in OpenSSL, so if no callback it set the always-failing dummy is set. cheers ./daniel
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited