Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kXVQd-00035w-CE for pgsql-hackers@arkaria.postgresql.org; Tue, 27 Oct 2020 20:18:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kXVQa-0000u5-UF for pgsql-hackers@arkaria.postgresql.org; Tue, 27 Oct 2020 20:18:44 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kXVQa-0000ty-AP for pgsql-hackers@lists.postgresql.org; Tue, 27 Oct 2020 20:18:44 +0000 Received: from lahtoruutu.iki.fi ([2a0b:5c81:1c1::37]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kXVQT-0004EE-7z for pgsql-hackers@lists.postgresql.org; Tue, 27 Oct 2020 20:18:42 +0000 Received: from [192.168.1.113] (dsl-hkibng22-54faa4-119.dhcp.inet.fi [84.250.164.119]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 07D871B001A5; Tue, 27 Oct 2020 22:18:30 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1603829910; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f1nE2ZVAU9t9z+VU6/ytbcANu/dyWISvVuyDI/+FD9w=; b=Sc+VjLaSJ/t8fCLrH88/+MhGmDx+EKpaYIurIsQLzZ1AKCXeVz9DkkyvckBZnrTviAkwCo v5z8Cl+ZU2YX9mfB0VoFYAIHElXdiVaj1P78KoPxtF7RmqZ272ZlkkPQi1RNOAvmAShH/2 ZmtlF+riXdBLbs4wDyZEhIm4OlBBcS9GPpMOZS1jO69/lMgk17XcAd2Fy6ht8beHfjKaCf 8IQJ5hHw7RV0bsGZU7CA/FFemMYrIcTtJ0oIQNBgaq6mAwNzb4CHga+3BqakpHFVTPGy4t AAUQzgQP3GUyXnA6OGHsyBL3kOZKaNWqRPRJDlDt3C2lGLhpU9OgYRCikKI9eA== Subject: Re: Support for NSS as a libpq TLS backend To: Daniel Gustafsson , Andres Freund Cc: Postgres hackers , Michael Paquier , Andrew Dunstan , Stephen Frost , Thomas Munro References: <20200904012334.GF19499@paquier.xyz> <20200917074134.GX2873@paquier.xyz> <20200929055939.GF7117@paquier.xyz> <411593A7-E037-474D-BFD7-D3D6683C1D46@yesql.se> <20201020191529.5yverw3ybaube3pg@alap3.anarazel.de> <907FA7D1-9BD9-464B-A6EC-DEEB53438D36@yesql.se> From: Heikki Linnakangas Message-ID: <7ed636a0-872c-3ea7-dc44-b35dd515bb87@iki.fi> Date: Tue, 27 Oct 2020 22:18:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 In-Reply-To: <907FA7D1-9BD9-464B-A6EC-DEEB53438D36@yesql.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1603829910; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f1nE2ZVAU9t9z+VU6/ytbcANu/dyWISvVuyDI/+FD9w=; b=RXhV7K01PetWr4te5m2N8L9wlKpbTmxptSUW90g/45iuyxDZhMDChDI5IznD1u2ROOtqCL oJBz/9eXIGIji+v7C1a6Yc1viX8jkcCBcinD8y31yFClICAYa9QoXkwyqlk5kt/wq6L+Ad TdzuIXjA5Njg4ZT5bvk7CsA0XMw6YnWjnbmgPcT2975PTj/eWjGD85W8xNSsSXugzcRwsn JaY4+wpe8sh0fTod55QSPbDz/MKRB+FyaX/Noiqhf0twlU0jj0c34VaS7kYIEB/irzv+SS c6D4jIALZTm7j8itjVKiHUfSH+WkA7zwbsH3ho6PEcRfjsGNFKzuMbQ8UnM7VA== ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1603829910; a=rsa-sha256; cv=none; b=Jg8o+zJeTVOBklvoH2BQldSiwM0yZneayUF+yc2iYAGQvz3NemUACuZoPcKoi2gVvDhaxG E4yz/+0+PoU04iZi68CAygIZVokTuqNx7GbY3RdtaMzVJ/gnbBh+n/trmubpLjSjjNeplW H5FPRBfD2LG6bQWrhwnKc20XIL2PKz+ffT/rrIssxQaO9AsM8US4MoN8ta/LEnjyiVRlS0 aSCTy7KFcjcDvP55VcHkiO9iM8DcGgIUynRoxqZOEoXf/i9WGMeB539FfF5uMJaOJh6WtV FyrqZq2xjq3y6NIQMPToZl9XR5s+gvmsDzkavahok5JrzxqSZihUX+JjDDTbKQ== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk On 27/10/2020 22:07, Daniel Gustafsson wrote: > /* > * Track whether the NSS database has a password set or not. There is no API > * function for retrieving password status, so we simply flip this to true in > * case NSS invoked the password callback - as that will only happen in case > * there is a password. The reason for tracking this is that there are calls > * which require a password parameter, but doesn't use the callbacks provided, > * so we must call the callback on behalf of these. > */ > static bool has_password = false; This is set in PQssl_passwd_cb function, but never reset. That seems wrong. The NSS database used in one connection might have a password, while another one might not. Or have I completely misunderstood this? - Heikki