Re: Support for NSS as a libpq TLS backend

Andrew Dunstan <andrew.dunstan@2ndquadrant.com>

From: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>, Stephen Frost <sfrost@snowman.net>
Date: 2020-08-03T16:46:24Z
Lists: pgsql-hackers

Attachments

On 7/31/20 4:44 PM, Andrew Dunstan wrote:
> On 7/15/20 6:18 PM, Daniel Gustafsson wrote:
>>> On 15 Jul 2020, at 20:35, Andrew Dunstan <andrew.dunstan@2ndquadrant.com> wrote:
>>>
>>> On 5/15/20 4:46 PM, Daniel Gustafsson wrote:
>>>> My plan is to keep hacking at this to have it reviewable for the 14 cycle, so
>>>> if anyone has an interest in NSS, then I would love to hear feedback on how it
>>>> works (and doesn't work).
>>> I'll be happy to help, particularly with Windows support and with some
>>> of the callback stuff I've had a hand in.
>> That would be fantastic, thanks!  The password callback handling is still a
>> TODO so feel free to take a stab at that since you have a lot of context on
>> there.
>>
>> For Windows, I've include USE_NSS in Solution.pm as Thomas pointed out in this
>> thread, but that was done blind as I've done no testing on Windows yet.
>>
>
> OK, here is an update of your patch that compiles and runs against NSS
> under Windows (VS2019).
>
>
> In addition to some work that was missing in src/tools/msvc, I had to
> make a few adjustments, including:
>
>
>   * strtok_r() isn't available on Windows. We don't use it elsewhere in
>     the postgres code, and it seemed unnecessary to have reentrant calls
>     here, so I just replaced it with equivalent strtok() calls.
>   * We were missing an NSS implementation of
>     pgtls_verify_peer_name_matches_certificate_guts(). I supplied a
>     dummy that's enough to get it building cleanly, but that needs to be
>     filled in properly.
>
>
> There is still plenty of work to go, but this seemed a sufficient
> milestone to report progress on.
>
>


OK, this version contains pre-generated nss files, and passes a full
buildfarm run including the ssl test module, with both openssl and NSS.
That should keep the cfbot happy :-)


cheers


andrew


-- 
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics