Re: Support for NSS as a libpq TLS backend

On Tue, Nov 23, 2021 at 9:12 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
> > On 17 Nov 2021, at 19:42, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> > On Tue, Nov 16, 2021 at 1:26 PM Joshua Brindle
> > <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
>
> >> I think there it a typo in the docs here that prevents them from
> >> building (this diff seems to fix it):
>
> Ah yes, thanks, I had noticed that one but forgot to send out a new version to
> make the CFBot green.
>
> > After a bit more testing, the server is up and running with an nss
> > database but before configuring the client database I tried connecting
> > and got a segfault:
>
> Interesting. I'm unable to reproduce this crash, can you show the sequence of
> commands which led to this?

It no longer happens with v49, since it was a null deref of the pr_fd
which no longer happens.

I'll continue testing now, so far it's looking better.

Did the build issue with --with-llvm get fixed in this update also? I
haven't tried building with it yet.

> > It looks like the ssl connection falls through to attempt a non-ssl
> > connection but at some point conn->ssl_in_use gets set to true,
> > despite pr_fd and nss_context being null.
>
> pgtls_close missed setting ssl_in_use to false, fixed in the attached. I've
> also added some assertions to the connection setup for debugging this.
>
> > This patch fixes the segfault but I suspect is not the correct fix,
> > due to the error when connecting saying "Success":
>
> Right, without an SSL enabled FD we should never get here.
>

Thank you.