Re: Support for NSS as a libpq TLS backend
Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
From: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Stephen Frost <sfrost@snowman.net>
Date: 2020-08-03T16:46:24Z
Lists: pgsql-hackers
Attachments
- 0001-WIP-Support-libnss-for-as-TLS-backend-v7.patch (text/x-patch)
On 7/31/20 4:44 PM, Andrew Dunstan wrote: > On 7/15/20 6:18 PM, Daniel Gustafsson wrote: >>> On 15 Jul 2020, at 20:35, Andrew Dunstan <andrew.dunstan@2ndquadrant.com> wrote: >>> >>> On 5/15/20 4:46 PM, Daniel Gustafsson wrote: >>>> My plan is to keep hacking at this to have it reviewable for the 14 cycle, so >>>> if anyone has an interest in NSS, then I would love to hear feedback on how it >>>> works (and doesn't work). >>> I'll be happy to help, particularly with Windows support and with some >>> of the callback stuff I've had a hand in. >> That would be fantastic, thanks! The password callback handling is still a >> TODO so feel free to take a stab at that since you have a lot of context on >> there. >> >> For Windows, I've include USE_NSS in Solution.pm as Thomas pointed out in this >> thread, but that was done blind as I've done no testing on Windows yet. >> > > OK, here is an update of your patch that compiles and runs against NSS > under Windows (VS2019). > > > In addition to some work that was missing in src/tools/msvc, I had to > make a few adjustments, including: > > > * strtok_r() isn't available on Windows. We don't use it elsewhere in > the postgres code, and it seemed unnecessary to have reentrant calls > here, so I just replaced it with equivalent strtok() calls. > * We were missing an NSS implementation of > pgtls_verify_peer_name_matches_certificate_guts(). I supplied a > dummy that's enough to get it building cleanly, but that needs to be > filled in properly. > > > There is still plenty of work to go, but this seemed a sufficient > milestone to report progress on. > > OK, this version contains pre-generated nss files, and passes a full buildfarm run including the ssl test module, with both openssl and NSS. That should keep the cfbot happy :-) cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited