Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ltbao-0002j1-Ck for pgsql-hackers@arkaria.postgresql.org; Wed, 16 Jun 2021 19:52:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1ltbam-0005qz-SH for pgsql-hackers@arkaria.postgresql.org; Wed, 16 Jun 2021 19:52:52 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ltbam-0005qr-Kh for pgsql-hackers@lists.postgresql.org; Wed, 16 Jun 2021 19:52:52 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ltbak-0003kY-5t for pgsql-hackers@lists.postgresql.org; Wed, 16 Jun 2021 19:52:52 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id D2E4524664DD for ; Wed, 16 Jun 2021 21:52:48 +0200 (CEST) Received: from s899.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id C245E2E289A8; Wed, 16 Jun 2021 21:52:48 +0200 (CEST) Received: from s470.loopia.se (unknown [172.22.191.5]) by s899.loopia.se (Postfix) with ESMTP id BB56F2C8B9CE; Wed, 16 Jun 2021 21:52:48 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1 X-Spam-Level: X-Spam-Status: No, score=-1 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1] autolearn=disabled Received: from s899.loopia.se ([172.22.191.6]) by s470.loopia.se (s470.loopia.se [172.22.190.10]) (amavisd-new, port 10024) with LMTP id RiOzcpyo9OeO; Wed, 16 Jun 2021 21:52:47 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s899.loopia.se (Postfix) with ESMTPSA id 934992C8B9BC; Wed, 16 Jun 2021 21:52:47 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\)) Subject: Re: Support for NSS as a libpq TLS backend From: Daniel Gustafsson In-Reply-To: <14b33300304507db6f4e4d8a77da105a8d18ea1a.camel@vmware.com> Date: Wed, 16 Jun 2021 21:52:47 +0200 Cc: "pgsql-hackers@lists.postgresql.org" , "hlinnaka@iki.fi" , "andrew.dunstan@2ndquadrant.com" , "michael@paquier.xyz" , "thomas.munro@gmail.com" , "andres@anarazel.de" , "sfrost@snowman.net" Content-Transfer-Encoding: quoted-printable Message-Id: References: <1b16041447d57b45ca273f41d26f6e298d756f99.camel@vmware.com> <04E81B50-ACE9-40D3-9C66-7041F969A958@yesql.se> <21FABD55-5F80-4D8B-B994-3DB81D8742EE@yesql.se> <20210321234950.GQ20766@tamriel.snowman.net> <743a11e6668bef648c7a53f862038e6b2fad3755.camel@vmware.com> <05da9d530ab01e6959bd50c993d590ad73575c21.camel@vmware.com> <20210324170036.GS20766@tamriel.snowman.net> <8f741a425fd135ca38a28063730715499f7f6445.camel@vmware.com> <20210324181016.GU20766@tamriel.snowman.net> <50c5a423329ea9996a2a2b167931711189ed5d1b.camel@vmware.com> <2FD5BB88-595A-47A0-8F51-0A1B5EEC93FA@yesql.se> <4a15bbab42cd85b6bec83c2609305552d246f68e.camel@vmware.com> <8335133C-920E-438D-9CEB-DEF4C1533F73@yesql.se> <4ec146256e31afa0542f9fa970ec258c5f1a5f98.camel@vmware.com> <70A12E33-90B8-4761-8FA6-8DDB9EEA4D3E@yesql.se> <14b33300304507db6f4e4d8a77da105a8d18ea1a.camel@vmware.com> To: Jacob Champion X-Mailer: Apple Mail (2.3654.80.0.2.43) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 16 Jun 2021, at 18:15, Jacob Champion wrote: >=20 > On Wed, 2021-06-16 at 15:31 +0200, Daniel Gustafsson wrote: >>> On 16 Jun 2021, at 01:50, Jacob Champion = wrote: >>> I've been tracking down reference leaks in the client. These open >>> references prevent NSS from shutting down cleanly, which then makes = it >>> impossible to open a new context in the future. This probably = affects >>> other libpq clients more than it affects psql. >>=20 >> Ah, nice catch, that's indeed a bug in the frontend implementation. = The >> problem is that the NSS trustdomain cache *must* be empty before = shutting down >> the context, else this very issue happens. Note this in = be_tls_destroy(): >>=20 >> /* >> * It reads a bit odd to clear a session cache when we are = destroying the >> * context altogether, but if the session cache isn't cleared = before >> * shutting down the context it will fail with SEC_ERROR_BUSY. >> */ >> SSL_ClearSessionCache(); >>=20 >> Calling SSL_ClearSessionCache() in pgtls_close() fixes the error. >=20 > That's unfortunate. The session cache is global, right? So I'm = guessing > we'll need to refcount and lock that call, to avoid cleaning up out > from under a thread that's actively using the the cache? I'm not sure, the documentation doesn't give any answers and = implementations of libnss tend to just clear the cache without consideration. In libcurl = we do just that, and haven't had any complaints - which doesn't mean it's = correct but it's a datapoint. >> There is another resource leak left (visible in one test after the = above is >> added), the SECMOD module needs to be unloaded in case it's been = loaded. >> Implementing that with SECMOD_UnloadUserModule trips a segfault in = NSS which I >> have yet to figure out (when acquiring a lock with = NSSRWLock_LockRead). >>=20 >> [...] >>=20 >> With your patches I'm seeing a couple of these: >>=20 >> SSL error: The one-time function was previously called and failed. = Its error code is no longer available >=20 > Hmm. Adding SSL_ClearSessionCache() (without thread-safety at the > moment) fixes all of the SSL tests for me, and I don't see either the > SECMOD leak or the "one-time function" error that you've mentioned. Reading the code I don't think a loaded user module is considered a = resource that must've been released prior to closing the context. I will dig for = what showed up in my tests, but I don't think it was caused by this. > What version of NSS are you running? I'm on 3.63. Right now I'm using what Debian 10 is packaging which is 3.42. = Admittedly not hot off the press but I've been trying to develop off a packaged version = which we might see users wanting to deploy against should this get shipped. -- Daniel Gustafsson https://vmware.com/