Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP Stapling #2240

Merged
merged 3 commits into from May 26, 2021
Merged

OCSP Stapling #2240

merged 3 commits into from May 26, 2021

Conversation

wallyqs
Copy link
Member

@wallyqs wallyqs commented May 22, 2021
edited

Adds basic OCSP Stapling support in the server for client connections. To enable, the server has to start with the following:

ocsp: true

tls { ... }

When OCSP is enabled this way, in case a certificate has a 'status_request' // Must Staple flag toggled, then it will make an
HTTP request to the OCSP remote url and fetch staples that will be cached on disk and serve the staples to the clients so that they can confirm the response. The TLS certificates can change at anytime and OCSP stapling is reloading aware.

To store OCSP Staples to disk, a store dir can be configured as follows:

store_dir = "./store-dir"

Or in case there is a store dir for JetStream that will be used instead:

jetstream {
  store_dir = "./store-dir"
}

The OCSP staples will be stored at a created directory underneath like $store_dir/ocsp.

/cc @nats-io/core

@wallyqs wallyqs requested a review from philpennock May 22, 2021 01:37
@wallyqs wallyqs force-pushed the ocsp-caching branch 2 times, most recently from 8981f19 to ac810a8 Compare May 22, 2021 05:46
@wallyqs wallyqs changed the base branch from master to ocsp-config May 22, 2021 05:48
ripienaar
ripienaar requested changes May 22, 2021
View reviewed changes
server/ocsp.go Outdated Show resolved Hide resolved
@wallyqs wallyqs force-pushed the ocsp-caching branch 2 times, most recently from ff5b029 to 3db4000 Compare May 22, 2021 18:03
@wallyqs wallyqs marked this pull request as ready for review May 24, 2021 16:36
philpennock
philpennock approved these changes May 24, 2021
View reviewed changes
Copy link
Member

@philpennock philpennock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confess, I'm a little sad that we're not following the state.directory pattern. Ah well.

server/ocsp.go Show resolved Hide resolved
server/ocsp.go Show resolved Hide resolved
wallyqs
wallyqs commented May 24, 2021
View reviewed changes
server/ocsp.go Show resolved Hide resolved
@nsurfer @wallyqs
Vendor ocsp dep
0072107
@nsurfer @wallyqs
Add OCSP support
b2e1ff7 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
@wallyqs wallyqs changed the base branch from ocsp-config to master May 24, 2021 17:54
@wallyqs wallyqs changed the title OCSP Stapling with caching to disk OCSP Stapling May 24, 2021
ColinSullivan1
ColinSullivan1 approved these changes May 26, 2021
View reviewed changes
Copy link
Member

@ColinSullivan1 ColinSullivan1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

kozlovic
kozlovic requested changes May 26, 2021
View reviewed changes
server/ocsp.go Outdated Show resolved Hide resolved
server/server.go Outdated Show resolved Hide resolved
@wallyqs
ocsp: Add caching staples to disk to store dir
d78a918 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
kozlovic
kozlovic approved these changes May 26, 2021
View reviewed changes
Copy link
Member

@kozlovic kozlovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wallyqs wallyqs merged commit f89d061 into master May 26, 2021
@wallyqs wallyqs deleted the ocsp-caching branch May 26, 2021 22:21
@wallyqs wallyqs mentioned this pull request May 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ripienaar ripienaar ripienaar requested changes

@philpennock philpennock philpennock approved these changes

@ColinSullivan1 ColinSullivan1 ColinSullivan1 approved these changes

@kozlovic kozlovic kozlovic approved these changes

@derekcollison derekcollison Awaiting requested review from derekcollison

Assignees

@ColinSullivan1 ColinSullivan1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@wallyqs @ripienaar @philpennock @ColinSullivan1 @kozlovic @nsurfer