Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <pchampion@vmware.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>,
Andres Freund <andres@anarazel.de>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Michael Paquier <michael@paquier.xyz>,
Andrew Dunstan <andrew.dunstan@2ndquadrant.com>,
Stephen Frost <sfrost@snowman.net>,
Thomas Munro <thomas.munro@gmail.com>
Date: 2020-11-06T23:11:15Z
Lists: pgsql-hackers
Attachments
- v18-0001-NSS-Frontend-Backend-and-build-infrastructure.patch (application/octet-stream) patch v18-0001
- v18-0002-NSS-Testharness-updates.patch (application/octet-stream) patch v18-0002
- v18-0003-NSS-pg_strong_random-support.patch (application/octet-stream) patch v18-0003
- v18-0004-NSS-Documentation.patch (application/octet-stream) patch v18-0004
- v18-0005-NSS-contrib-modules.patch (application/octet-stream) patch v18-0005
> On 6 Nov 2020, at 21:37, Jacob Champion <pchampion@vmware.com> wrote: > Some initial notes from building and testing on macOS Mojave. I'm working with > both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a > hand-built NSS/NSPR (which does not). Thanks for looking! > 1. In configure.ac: > >> + LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS" >> + CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS" >> + >> + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])]) > > Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails > with the hand-built stack, where there is no nss-config to populate LDFLAGS. I > changed the function to NSS_InitContext and that seems to work nicely. Ah yes, fixed. > 2. Among the things to eventually think about when it comes to configuring, it > looks like some platforms [1] install the headers under <nspr4/...> and > <nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS > maintainers never chose an official installation layout. Yeah, maybe we need to start with the most common path and have fallbacks in case not found? > 3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both > > src/include/common/pg_nss.h > src/port/pg_strong_random.c > > before the tree will compile for me. Both of those files include NSS headers. Odd that I was able to compile on Linux, but I've added these. > 4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR > assertion that looks like > > sslMutex_Init not implemented for multi-process applications ! > > With assertions disabled, this ends up showing a somewhat unhelpful > > FATAL: unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE) > > It looks like cross-process locking isn't actually enabled on macOS, which is a > long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache() > error out. Thats unfortunate since the session cache is required for a server application backed by NSS. The attached switches to SSL_ConfigServerSessionIDCacheWithOpt with which one can explicitly make the cache non-shared, which in turn backs the mutexes with NSPR locks rather than the missing sem_init. Can you test this version and see if that makes it work? This version also contains a channel binding bug that Heikki pointed out off- list (sadly not The bug) and a few very minor cleanups as well as a rebase to handle the new pg_strong_random_init. Actually performing the context init there is yet a TODO, but I wanted a version out that at all compiled. cheers ./daniel
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited