On Wed, Dec 15, 2021 at 5:05 PM Daniel Gustafsson <dan...@yesql.se> wrote: > > > On 25 Nov 2021, at 14:39, Joshua Brindle <joshua.brin...@crunchydata.com> > > wrote: > > On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle > > <joshua.brin...@crunchydata.com> wrote: > >> > >> On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle > >> <joshua.brin...@crunchydata.com> wrote: > > >> I don't know enough about NSS to know if this is problematic or not > >> but if I try verify-full without having the root CA in the certificate > >> store I get: > >> > >> $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres" > >> psql: error: SSL error: Issuer certificate is invalid. > >> unable to shut down NSS context: NSS could not shutdown. Objects are > >> still in use. > > Fixed. > > > Something is strange with ssl downgrading and a bad ssldatabase > > [postgres@11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops > > sslcert=client_cert host=localhost" > > Password for user postgres: > > > > <freezes here> > > Also fixed. > > > On the server side: > > 2021-11-25 01:52:01.984 UTC [269] LOG: unable to handshake: > > Encountered end of file (PR_END_OF_FILE_ERROR) > > This is normal and expected, but to make it easier on users I've changed this > error message to be aligned with the OpenSSL implementation. > > > Other than that and I still haven't tested --with-llvm I've gotten > > everything working, including with an openssl client. Attached is a > > dockerfile that gets to the point where a client can connect with > > clientcert=verify-full. I've removed some of the old cruft and > > debugging from the previous versions. > > Very cool, thanks! I've been unable to reproduce any issues with llvm but > I'll > keep poking at that. A new version will be posted shortly with the above and > a > few more fixes.
For v50 this change was required for an llvm build to succeed on my Fedora system: diff --git a/configure b/configure index 25388a75a2..62d554806a 100755 --- a/configure +++ b/configure @@ -13276,6 +13276,7 @@ fi LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS" CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS" + CPPFLAGS="$CPPFLAGS $NSS_CFLAGS $NSPR_CFLAGS" $as_echo "#define USE_NSS 1" >>confdefs.h I'm not certain why configure didn't already have that, configure.ac appears to, but nonetheless it builds, all tests succeed, and a quick tire kicking looks good. Thank you.