| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com> |
| Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2021-01-29 01:06:22 |
| Message-ID: | 4ce630770697cff2e64aa12a815a5ad7f692ab65.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, 2021-01-21 at 20:16 +0000, Jacob Champion wrote:
> I think we're missing a counterpart to this piece of the OpenSSL
> implementation, in be_tls_init():
Never mind. Using SSL_SetTrustAnchor is something we could potentially
do if we wanted to further limit the CAs that are actually sent to the
client, but it shouldn't be necessary to get the tests to pass.
I now think that it's just a matter of making sure that the "server-cn-
only" DB has the root_ca.crt included, so that it can correctly
validate the client certificate. Incidentally I think this should also
fix the remaining failing SCRAM test. I'll try to get a patch out
tomorrow, if adding the root CA doesn't invalidate some other test
logic.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bharath Rupireddy | 2021-01-29 01:18:36 | Re: [PATCH] postgres_fdw connection caching - cause remote sessions linger till the local session exit |
| Previous Message | Hou, Zhijie | 2021-01-29 01:01:01 | RE: Determine parallel-safety of partition relations for Inserts |