Re: Support for NSS as a libpq TLS backend

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <pchampion@vmware.com>
Cc: "michael@paquier.xyz" <michael@paquier.xyz>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>, "andres@anarazel.de" <andres@anarazel.de>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2021-02-22T13:31:13Z
Lists: pgsql-hackers

Attachments

> On 18 Feb 2021, at 21:33, Jacob Champion <pchampion@vmware.com> wrote:
> 
> On Wed, 2021-02-17 at 22:35 +0100, Daniel Gustafsson wrote:
>> Attached is a rebase on top of this and the recent cryptohash changes to pass
>> in buffer lengths to the _final function.  On top of that, I fixed up and
>> expanded the documentation, improved SCRAM handling (by using NSS digest
>> operations which are better suited) and reworded and expanded comments.  This
>> patch version is, I think, feature complete with the OpenSSL implementation.
> 
> fe-secure-nss.c is no longer compiling as of this patchset; looks
> like pgtls_open_client() has a truncated statement.

Ouch, I had a local mismerge that snuck in as I moved the branch around for
submission here.  The attached fixes that as well as implements the sslcrldir
support that was committed recently.  The crldir parameter isn't applicable to
NSS per se since all CRL's are loaded into the NSS database, but it does need
to be supported for the tests.

The crldir commit also made similar changes to the test harness as I had done
to support the NSS database, which made these incompatible.  To fix that I've
implemented named parameters in switch_server_cert to make it less magic with
multiple optional parameters.

--
Daniel Gustafsson		https://vmware.com/

Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics