Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Andres Freund <andres@anarazel.de>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Michael Paquier <michael@paquier.xyz>,
Andrew Dunstan <andrew.dunstan@2ndquadrant.com>,
Stephen Frost <sfrost@snowman.net>,
Thomas Munro <thomas.munro@gmail.com>
Date: 2020-11-01T22:04:18Z
Lists: pgsql-hackers
Attachments
- v16-0001-NSS-Frontend-Backend-and-build-infra.patch (application/octet-stream) patch v16-0001
- v16-0002-NSS-Testharness-updates.patch (application/octet-stream) patch v16-0002
- v16-0003-NSS-pg_strong_random-support.patch (application/octet-stream) patch v16-0003
- v16-0004-NSS-Documentation.patch (application/octet-stream) patch v16-0004
- v16-0005-NSS-contrib-modules.patch (application/octet-stream) patch v16-0005
> On 1 Nov 2020, at 14:13, Andrew Dunstan <andrew@dunslane.net> wrote: > I've been looking through the new patch set, in particular the testing > setup. Thanks! > The way it seems to proceed is to use the existing openssl generated > certificates and imports them into NSS certificate databases. That seems > fine to bootstrap testing, That's pretty much why I opted for using the existing certs: to bootstrap the patch and ensure OpenSSL-backend compatibility. > but it seems to me it would be more sound not > to rely on openssl at all. I'd rather see the Makefile containing > commands to create these from scratch, which mirror the openssl > variants. IOW you should be able to build and test this from scratch, > including certificate generation, without having openssl installed at all. I don't disagree with this, but I do also believe there is value in testing all TLS backends with exactly the same certificates to act as a baseline. The nssfiles target should definitely be able to generate from scratch, but maybe a combination is the best option? Being well versed in the buildfarm code, do you have an off-the-cuff idea on how to do cross library testing such that OpenSSL/NSS compatibility can be ensured? Andres was floating the idea of making a single sourcetree be able to have both for testing but more discussion is needed to settle on a way forward. > I also notice that the invocations to pk12util don't contain the "sql:" > prefix to the -d option, even though the database was created with that > prefix a few lines above. That seems like a mistake from my reading of > the pk12util man page. Fixed in the attached v16, which also drops the parts of the patchset which have been submitted separately to -hackers (the sslinfo patch hunks are still there are they are required). cheers ./daniel
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited