From: | Jacob Champion <pchampion(at)vmware(dot)com> |
---|---|
To: | "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se> |
Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de> |
Subject: | Re: Support for NSS as a libpq TLS backend |
Date: | 2021-07-19 19:33:23 |
Message-ID: | a0335cb2367c2763ea8da8c79feca80a74c30a07.camel@vmware.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, 2021-06-23 at 15:48 +0200, Daniel Gustafsson wrote:
> Attached is a rebased version which incorporates your recent patchset for
> resource handling, as well as the connect_ok test patch.
With v38 I do see the "one-time function was previously called and
failed" message you mentioned before, as well as some PR_Assert()
crashes. Looks like it's just due to the placement of
SSL_ClearSessionCache(); gating it behind the conn->nss_context check
ensures that we don't call it if no NSS context actually exists. Patch
attached (0001).
--
Continuing my jog around the patch... client connections will crash if
hostaddr is provided rather than host, because SSL_SetURL can't handle
a NULL argument. I'm running with 0002 to fix it for the moment, but
I'm not sure yet if it does the right thing for IP addresses, which the
OpenSSL side has a special case for.
Early EOFs coming from the server don't currently have their own error
message, which leads to a confusingly empty
connection to server at "127.0.0.1", port 47447 failed:
0003 adds one, to roughly match the corresponding OpenSSL message.
While I was fixing that I noticed that I was getting a "unable to
verify certificate" error message for the early EOF case, even with
sslmode=require. That error message is being printed to conn-
>errorMessage during pg_cert_auth_handler(), even if we're not
verifying certificates, and then that message is included in later
unrelated failures. 0004 patches that.
--Jacob
Attachment | Content-Type | Size |
---|---|---|
0001-nss-move-SSL_ClearSessionCache.patch | text/x-patch | 1.0 KB |
0002-nss-handle-NULL-host.patch | text/x-patch | 1.2 KB |
0003-nss-fix-spurious-unable-to-verify-certificate-messag.patch | text/x-patch | 2.4 KB |
0004-nss-add-client-error-for-unexpected-EOF.patch | text/x-patch | 814 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2021-07-19 19:59:50 | Avoid stack frame setup in performance critical routines using tail calls |
Previous Message | Mark Dilger | 2021-07-19 18:51:44 | Re: refactoring basebackup.c |