Internal Release

New features:

• Support cross-signed chains during OCSP check.
• Implemented a new CRL (Certificate Revocation List) checking mechanism.
  Enabling CRLs improves security by checking for revoked certificates during the TLS handshake process. For more information, see the Replacing OCSP with CRL as the method of certificate revocation checking Knowledge Base article.
  This feature is disabled by default. For information on enabling this feature, see the attributes below. We recommend you test this feature in advisory mode before enabling it in production.
  • Added new connection attributes:
    • SF_CON_CRL_CHECK (boolean; default: false). If enabled, the CRL checking for the Snowflake connection will be performed and will fail if the server's certificate is revoked or there is another revocation check issue (e.g., downloading or parsing) by default.
    • SF_CON_CRL_ADVISORY (boolean; default: false). Modifies the CRL connection checking to fail only when the certificate is revoked explicitly. When any other problem (e.g., parsing errors, download errors) is present, the connection is allowed.
    • SF_CON_CRL_ALLOW_NO_CRL (boolean; default: false). Allows opening the connection when the CRL distribution point URL is absent.
    • SF_CON_CRL_DISK_CACHING (boolean; default: true). This option enables the caching of the CRL files on disk to reduce the time spent redownloading the certificate distribution lists.
    • SF_CON_CRL_MEMORY_CACHING (boolean; default: true). This option enables the caching of the CRL within the application memory.
    • SF_CON_CRL_DOWNLOAD_TIMEOUT (integer; default: 120). Sets the CRL download timeout in seconds.
  • Added new environment variables:
    • SF_CRL_RESPONSE_CACHE_DIR (string). Overrides the default CRL cache directory with the one specified within the environment variable.

Bugfixes:

• Removed trailing null termination character from the JWT header and payload.