Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lmMf1-00039U-MH for pgsql-hackers@arkaria.postgresql.org; Thu, 27 May 2021 20:31:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1lmMf0-00068U-Dx for pgsql-hackers@arkaria.postgresql.org; Thu, 27 May 2021 20:31:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lmMf0-00068M-64 for pgsql-hackers@lists.postgresql.org; Thu, 27 May 2021 20:31:18 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lmMex-0005dy-6w for pgsql-hackers@lists.postgresql.org; Thu, 27 May 2021 20:31:17 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 50EBE2E65852 for ; Thu, 27 May 2021 22:31:11 +0200 (CEST) Received: from s645.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 40AB22E36A9D; Thu, 27 May 2021 22:31:11 +0200 (CEST) Received: from s898.loopia.se (unknown [172.22.191.6]) by s645.loopia.se (Postfix) with ESMTP id 284031579FD4; Thu, 27 May 2021 22:31:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1 X-Spam-Level: X-Spam-Status: No, score=-1 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1] autolearn=disabled Received: from s499.loopia.se ([172.22.191.6]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with LMTP id TU3_dCeZAkCv; Thu, 27 May 2021 22:31:08 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s499.loopia.se (Postfix) with ESMTPSA id E9FCC1CE60B4; Thu, 27 May 2021 22:31:07 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\)) Subject: Re: Support for NSS as a libpq TLS backend From: Daniel Gustafsson In-Reply-To: <50c5a423329ea9996a2a2b167931711189ed5d1b.camel@vmware.com> Date: Thu, 27 May 2021 22:31:07 +0200 Cc: "sfrost@snowman.net" , "pgsql-hackers@lists.postgresql.org" , "hlinnaka@iki.fi" , "andrew.dunstan@2ndquadrant.com" , "thomas.munro@gmail.com" , "michael@paquier.xyz" , "andres@anarazel.de" Content-Transfer-Encoding: quoted-printable Message-Id: <2FD5BB88-595A-47A0-8F51-0A1B5EEC93FA@yesql.se> References: <1b16041447d57b45ca273f41d26f6e298d756f99.camel@vmware.com> <04E81B50-ACE9-40D3-9C66-7041F969A958@yesql.se> <21FABD55-5F80-4D8B-B994-3DB81D8742EE@yesql.se> <20210321234950.GQ20766@tamriel.snowman.net> <743a11e6668bef648c7a53f862038e6b2fad3755.camel@vmware.com> <05da9d530ab01e6959bd50c993d590ad73575c21.camel@vmware.com> <20210324170036.GS20766@tamriel.snowman.net> <8f741a425fd135ca38a28063730715499f7f6445.camel@vmware.com> <20210324181016.GU20766@tamriel.snowman.net> <50c5a423329ea9996a2a2b167931711189ed5d1b.camel@vmware.com> To: Jacob Champion X-Mailer: Apple Mail (2.3654.80.0.2.43) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 25 Mar 2021, at 00:56, Jacob Champion wrote: > Databases that are opened *after* the first one are given their own = separate slots. Any certificates that are part of those databases = seemingly can't be referenced directly by nickname. They have to be = prefixed by their token name -- a name which you don't have if you used = NSS_InitContext() to create the database. You have to use = SECMOD_OpenUserDB() instead. This explains some strange failures I was = seeing in local testing, where the order of InitContext determined = whether our client certificate selection succeeded or failed. Sorry for the latency is responding, but I'm now back from parental = leave. AFAICT the tokenname for the database can be set with the = dbTokenDescription member in the NSSInitParameters struct passed to NSS_InitContext() = (documented in nss.h). Using this we can avoid the messier SECMOD machinery and use = the token in the auth callback to refer to the database we loaded. I hacked = this up in my local tree (rebased patchset coming soon) and it seems to work = as intended. -- Daniel Gustafsson https://vmware.com/