Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <pchampion@vmware.com>
Cc: "hlinnaka@iki.fi" <hlinnaka@iki.fi>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>,
"andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>,
"sfrost@snowman.net" <sfrost@snowman.net>,
"thomas.munro@gmail.com" <thomas.munro@gmail.com>,
"michael@paquier.xyz" <michael@paquier.xyz>,
"andres@anarazel.de" <andres@anarazel.de>
Date: 2021-02-01T20:49:20Z
Lists: pgsql-hackers
Attachments
- v24-0006-NSS-cryptohash-support.patch (application/octet-stream) patch v24-0006
- v24-0005-NSS-contrib-modules.patch (application/octet-stream) patch v24-0005
- v24-0004-NSS-Documentation.patch (application/octet-stream) patch v24-0004
- v24-0003-NSS-pg_strong_random-support.patch (application/octet-stream) patch v24-0003
- v24-0002-NSS-Testharness-updates.patch (application/octet-stream) patch v24-0002
- v24-0001-NSS-Frontend-Backend-and-build-infrastructure.patch (application/octet-stream) patch v24-0001
> On 20 Jan 2021, at 18:07, Jacob Champion <pchampion@vmware.com> wrote: > To continue the Subject Common Name discussion [1] from a different > part of the thread: > > Attached is a v23 version of the patchset that peels the raw Common > Name out from a client cert's Subject. This allows the following cases > that the OpenSSL implementation currently handles: > > - subjects that don't begin with a CN > - subjects with quotable characters > - subjects that have no CN at all Nice, thanks for fixing this! > Embedded NULLs are now handled in a similar manner to the OpenSSL side, > though because this failure happens during the certificate > authentication callback, it results in a TLS alert rather than simply > closing the connection. But returning SECFailure from the cert callback force NSS to terminate the connection immediately doesn't it? > For easier review of just the parts I've changed, I've also attached a > since-v22.diff, which is part of the 0001 patch. I confused my dev trees and missed to include this in the v23 that I sent out (which should've been v24), sorry about that. Attached is a v24 which is rebased on top of todays --with-ssl commit, and now includes your changes. Additionally I've added a shutdown callback such that we close the connection immediately if NSS is shutting down from underneath us. I can't imagine a scenario in which that's benign, so let's take whatever precautions we can. I've also changed the NSS initialization in the cryptohash code to closer match what the NSS documentation recommends for similar scenarios, but more on that downthread where that's discussed. -- Daniel Gustafsson https://vmware.com/
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited