Re: Support for NSS as a libpq TLS backend

> On 29 Sep 2020, at 09:52, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
>> On 29 Sep 2020, at 07:59, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>>
>> On Thu, Sep 17, 2020 at 11:41:28AM +0200, Daniel Gustafsson wrote:
>>> Attached is a v10 rebased to apply on top of HEAD.
>>
>> I am afraid that this needs a new rebase. The patch is failing to
>> apply, per the CF bot. :/
>
> It's failing on binary diffs due to the NSS certificate databases being
> included to make hacking on the patch easier:
>
> File src/test/ssl/ssl/nss/server.crl: git binary diffs are not supported.
>
> This is a limitation of the CFBot patch tester, the text portions of the patch
> still applies with a tiny but of fuzz.

Attached is a new version which doesn't contain the NSS certificate databases
to keep the CFBot happy.

It also implements server-side passphrase callbacks as well as re-enables the
tests for those. The callback works a bit differently from the OpenSSL one as
it must run in the forked process, so it can't run on server reload. There's
also no default fallback reading from a TTY like in OpenSSL, so if no callback
it set the always-failing dummy is set.

cheers ./daniel