Re: Support for NSS as a libpq TLS backend
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "daniel@yesql.se" <daniel@yesql.se>
Cc: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "michael@paquier.xyz" <michael@paquier.xyz>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>, "andres@anarazel.de" <andres@anarazel.de>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2021-09-27T16:29:43Z
Lists: pgsql-hackers
On Mon, 2021-09-27 at 15:44 +0200, Daniel Gustafsson wrote: > > On 21 Sep 2021, at 02:06, Jacob Champion <pchampion@vmware.com> wrote: > > but I'm not sure that would be > > correct either. If the user has the default sslsni="1" and supplies an > > IP address for the host parameter, I don't think we should fail the > > connection. > > Maybe not, but doing so is at least in line with how the OpenSSL support will > handle the same config AFAICT. Or am I missing something? With OpenSSL, I don't see a connection failure when using sslsni=1 with IP addresses. (verify-full can't work, but that's a separate problem.) > > > + if (host && host[0] && > > > + !(strspn(host, "0123456789.") == strlen(host) || > > > + strchr(host, ':'))) > > > + SSL_SetURL(conn->pr_fd, host); > > > > It looks like NSS may already have some code that prevents SNI from > > being sent for IP addresses, so that part of the guard might not be > > necessary. (And potentially counterproductive, because it looks like > > NSS can perform verification against the certificate's SANs if you pass > > an IP address to SSL_SetURL().) > > Skimming the NSS code I wasn't able find the countermeasures, can you provide a > reference to where I should look? I see the check in ssl_ShouldSendSNIExtension(), in ssl3exthandle.c. > Feel free to post a new version of the NSS patch with these changes if you want. Will do! Thanks, --Jacob
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited