Re: Support for NSS as a libpq TLS backend
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "daniel@yesql.se" <daniel@yesql.se>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>
Cc: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2021-02-17T01:02:15Z
Lists: pgsql-hackers
On Mon, 2020-07-20 at 15:35 +0200, Daniel Gustafsson wrote: > This version adds support for sslinfo on NSS for most the functions. I've poked around to see what can be done about the unimplemented ssl_client_dn_field/ssl_issuer_field functions. There's a nasty soup of specs to wade around in, and it's not really clear to me which ones take precedence since they're mostly centered on LDAP. My take on it is that OpenSSL has done its own thing here, with almost- based-on-a-spec-but-not-quite semantics. NSS has no equivalents to many of the field names that OpenSSL supports (e.g. "commonName"). Likewise, OpenSSL doesn't support case-insensitivity (e.g. "cn" in addition to "CN") as many of the relevant RFCs require. They do both support dotted-decimal representations, so we could theoretically get feature parity there without a huge amount of work. For the few attributes that NSS has a public API for retrieving: - common name - country - locality - state - organization - domain component - org. unit - DN qualifier - uid - email address(es?) we could hardcode the list of OpenSSL-compatible names, and just translate manually in sslinfo. Then leave the rest up to dotted-decimal OIDs. Would that be desirable, or do we want this interface to be something more generally compatible with (some as-of-yet unspecified) spec? --Jacob
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited