Re: Support for NSS as a libpq TLS backend
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "daniel@yesql.se" <daniel@yesql.se>
Cc: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "andres@anarazel.de" <andres@anarazel.de>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>, "sfrost@snowman.net" <sfrost@snowman.net>, "michael@paquier.xyz" <michael@paquier.xyz>
Date: 2021-06-15T23:50:14Z
Lists: pgsql-hackers
Attachments
On Wed, 2021-06-16 at 00:08 +0200, Daniel Gustafsson wrote: > > On 15 Jun 2021, at 00:15, Jacob Champion <pchampion@vmware.com> wrote: > > Attached is a quick patch; does it work on your machine? > > It does, thanks! I've included it in the attached v37 along with a few tiny > non-functional improvements in comment spelling etc. Great, thanks! I've been tracking down reference leaks in the client. These open references prevent NSS from shutting down cleanly, which then makes it impossible to open a new context in the future. This probably affects other libpq clients more than it affects psql. The first step to fixing that is not ignoring failures during NSS shutdown, so I've tried a patch to pgtls_close() that pushes any failures through the pqInternalNotice(). That seems to be working well. The tests were still mostly green, so I taught connect_ok() to fail if any stderr showed up, and that exposed quite a few failures. I am currently stuck on one last failing test. This leak seems to only show up when using TLSv1.2 or below. There doesn't seem to be a substantial difference in libpq code coverage between 1.2 and 1.3, so I'm worried that either 1) there's some API we use that "requires" cleanup, but only on 1.2 and below, or 2) there's some bug in my version of NSS. Attached are a few work-in-progress patches. I think the reference cleanups themselves are probably solid, but the rest of it could use some feedback. Are there better ways to test for this? and can anyone reproduce the TLSv1.2 leak? --Jacob
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited