Re: Support for NSS as a libpq TLS backend

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <pchampion@vmware.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, Andres Freund <andres@anarazel.de>, Postgres hackers <pgsql-hackers@lists.postgresql.org>, Michael Paquier <michael@paquier.xyz>, Andrew Dunstan <andrew.dunstan@2ndquadrant.com>, Stephen Frost <sfrost@snowman.net>, Thomas Munro <thomas.munro@gmail.com>
Date: 2020-11-06T23:11:15Z
Lists: pgsql-hackers

Attachments

> On 6 Nov 2020, at 21:37, Jacob Champion <pchampion@vmware.com> wrote:

> Some initial notes from building and testing on macOS Mojave. I'm working with
> both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a
> hand-built NSS/NSPR (which does not).

Thanks for looking!

> 1. In configure.ac:
> 
>> +  LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS"
>> +  CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS"
>> +
>> +  AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])])
> 
> Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails
> with the hand-built stack, where there is no nss-config to populate LDFLAGS. I
> changed the function to NSS_InitContext and that seems to work nicely.

Ah yes, fixed.

> 2. Among the things to eventually think about when it comes to configuring, it
> looks like some platforms [1] install the headers under <nspr4/...> and
> <nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS
> maintainers never chose an official installation layout.

Yeah, maybe we need to start with the most common path and have fallbacks in
case not found?

> 3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both
> 
>  src/include/common/pg_nss.h
>  src/port/pg_strong_random.c
> 
> before the tree will compile for me. Both of those files include NSS headers.

Odd that I was able to compile on Linux, but I've added these.

> 4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR
> assertion that looks like
> 
>  sslMutex_Init not implemented for multi-process applications !
> 
> With assertions disabled, this ends up showing a somewhat unhelpful
> 
>  FATAL:  unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE)
> 
> It looks like cross-process locking isn't actually enabled on macOS, which is a
> long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache()
> error out.

Thats unfortunate since the session cache is required for a server application
backed by NSS.  The attached switches to SSL_ConfigServerSessionIDCacheWithOpt
with which one can explicitly make the cache non-shared, which in turn backs
the mutexes with NSPR locks rather than the missing sem_init.  Can you test
this version and see if that makes it work?

This version also contains a channel binding bug that Heikki pointed out off-
list (sadly not The bug) and a few very minor cleanups as well as a rebase to
handle the new pg_strong_random_init.  Actually performing the context init
there is yet a TODO, but I wanted a version out that at all compiled.

cheers ./daniel

Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics