Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Stephen Frost <sfrost@snowman.net>
Date: 2020-09-01T12:43:58Z
Lists: pgsql-hackers
Attachments
- 0001-docs-consistent-markup-for-OpenSSL-and-SSL-v9.patch (application/octet-stream) patch v9-0001
- 0002-Support-for-NSS-as-a-TLS-backend-v9.patch (application/octet-stream) patch v9-0002
> On 5 Aug 2020, at 22:38, Andrew Dunstan <andrew.dunstan@2ndquadrant.com> wrote: > > On 8/4/20 5:42 PM, Daniel Gustafsson wrote: >>> On 3 Aug 2020, at 21:18, Andrew Dunstan <andrew.dunstan@2ndquadrant.com> wrote: >>> On 8/3/20 12:46 PM, Andrew Dunstan wrote: >>>> On 7/31/20 4:44 PM, Andrew Dunstan wrote: >>>>> OK, here is an update of your patch that compiles and runs against NSS >>>>> under Windows (VS2019). >> Out of curiosity since I'm not familiar with Windows, how hard/easy is it to >> install NSS for the purpose of a) hacking on postgres+NSS and b) using postgres >> with NSS as the backend? > > I've laid out the process at > https://www.2ndquadrant.com/en/blog/nss-on-windows-for-postgresql-development/ That's fantastic, thanks for putting that together. >>>> OK, this version contains pre-generated nss files, and passes a full >>>> buildfarm run including the ssl test module, with both openssl and NSS. >>>> That should keep the cfbot happy :-) Turns out the CFBot doesn't like the binary diffs. They are included in this version too but we should probably drop them again it seems. >> Exciting, thanks a lot for helping out on this! I've started to look at the >> required documentation changes during vacation, will hopefully be able to post >> something soon. > > Good. Having got the tests running cleanly on Linux, I'm now going back > to work on that for Windows. > > After that I'll look at the hook/callback stuff. The attached v9 contains mostly a first stab at getting some documentation going, it's far from completed but I'd rather share more frequently to not have local trees deviate too much in case you've had time to hack as well. I had a few documentation tweaks in the code too, but no real functionality change for now. The 0001 patch isn't strictly necessary but it seems reasonable to address the various ways OpenSSL was spelled out in the docs while at updating the SSL portions. It essentially ensures that markup around OpenSSL and SSL is used consistently. I didn't address the linelengths being too long in this patch to make review easier instead. cheers ./daniel
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited