Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Jacob Champion <pchampion(at)vmware(dot)com>
Cc: "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2021-01-20 11:58:13
Message-ID: 8D7F95DB-8F8A-4300-BFDA-656FBAB30FE2@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 20 Jan 2021, at 01:40, Jacob Champion <pchampion(at)vmware(dot)com> wrote:
>
> On Tue, 2021-01-19 at 21:21 +0100, Daniel Gustafsson wrote:
>> There is something iffy with these certs (the test fails
>> on mismatching ciphers and/or signature algorithms) that I haven't been able to
>> pin down, but to get more eyes on this I'm posting the patch with the test
>> enabled.
>
> Removing `--keyUsage keyEncipherment` from the native_server-* CSR
> generation seems to let the tests pass for me, but I'm wary of just
> pushing that as a solution because I don't understand why that would
> have anything to do with the failure mode
> (SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM).

Aha, that was a good clue, I had overlooked the required extensions in the CSR.
Re-reading RFC 5280 it seems we need keyEncipherment, dataEncipherment and
digitalSignature to create a valid SSL Server certificate. Adding those indeed
make the test pass. Skimming the certutil code *I think* removing it as you
did cause a set of defaults to kick in that made it work based on the parameter
"--nsCertType sslServer", but it's not entirely easy to make out. Either way,
relying on defaults in a test suite seems less than good, so I've extended the
Makefile to be explicit about the extensions.

The attached v22 rebase incorporates the fixup to the test Makefile, with not
further changes on top of that.

cheers ./daniel

Attachment Content-Type Size
v22-0001-NSS-Frontend-Backend-and-build-infrastructure.patch application/octet-stream 113.9 KB
v22-0002-NSS-Testharness-updates.patch application/octet-stream 56.9 KB
v22-0003-NSS-pg_strong_random-support.patch application/octet-stream 3.8 KB
v22-0004-NSS-Documentation.patch application/octet-stream 19.8 KB
v22-0005-NSS-contrib-modules.patch application/octet-stream 29.9 KB
v22-0006-NSS-cryptohash-support.patch application/octet-stream 6.6 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Laurenz Albe 2021-01-20 12:02:51 Re: Stronger safeguard for archive recovery not to miss data
Previous Message Michael Paquier 2021-01-20 11:53:10 Re: Allow CLUSTER, VACUUM FULL and REINDEX to change tablespace on the fly