On Mon, Sep 2, 2024 at 5:55 AM Daniel Gustafsson wrote:
> I guess they prefer that orgs transition back to just using CRL's.
>From a practical perspective, I don't think anyone but browsers can do
that right now. Best I can tell, there's no CRLite client other than
Firefox, and Google's CRLSets l
> On 15 Aug 2024, at 00:42, Jacob Champion
> wrote:
> It's pretty frustrating to hear about a "transition" when there is
> nothing to transition to.
I guess they prefer that orgs transition back to just using CRL's.
> Anyways, I look forward to seeing how broken my crystal ball is this
> time.
On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson wrote:
>
> While I have only skimmed the patch so far and need more review before I can
> comment on it, I do have a question on the expected use of OCSP support in
> postgres. With OCSP becoming optional [0], and big providers like Let's
> Encryp
Hi Daniel,
Thank you for all the information.
On 2024-08-07 12:20 a.m., Daniel Gustafsson wrote:
While I have only skimmed the patch so far and need more review before I can
comment on it, I do have a question on the expected use of OCSP support in
postgres. With OCSP becoming optional [0], an
While I have only skimmed the patch so far and need more review before I can
comment on it, I do have a question on the expected use of OCSP support in
postgres. With OCSP becoming optional [0], and big providers like Let's
Encrypt deprecating OCSP [1], is this mainly targeting organizations runni
Thanks a lot Jacob for helping update the tests and sorry for the late
reply.
Based on previous discussion, I remove the document patch, and start to
focus on the v1 simple OCSP logic by checking the leaf/Postgres server
certificate's status only
(0001-v1-WIP-OCSP-support-certificate-status-c
On Wed, Jul 17, 2024 at 3:42 PM David Zhang wrote:
> Totally agree. Either Implementing OCSP requests over HTTP, then parsing
> the response and then saving the results to a file, or using an OpenSSL
> client with a cron job to periodically update the file should work.
> Using a cron job would lik
= Design =
It looks like this design relies on the DBA to manually prefetch OCSP
responses for their cert chain, and cache them in the local
ssl_ocsp_file. This is similar to Nginx's ssl_stapling_file directive
[1]. I think this may make sense for a v1 (much less code!), but it's
going to take a
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote:
> This is the third version patch for "Certificate status check using OCSP
> Stapling" with ssl regression test cases added.
Hi David,
Thanks again for working on this! So far I've taken a look at the
design and tests. I've only skimmed the callb
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote:
> Any comments or feedback would be greatly appreciated!
Hi David -- I haven't had time to get to this for the 17 release
cycle, but I'm interested in this feature and I intend to review it at
some point for 18. I think OCSP will be especially hel
Hi Hackers,
This is the third version patch for "Certificate status check using OCSP
Stapling" with ssl regression test cases added.
Here is how I run the ssl regression test:
./configure --enable-tap-tests --with-openssl
make -j
cd src/test/ssl
make sslfiles
make check PG_
Hi Hackers,
This is the 2nd version patch with following updates:
1) Changed the frontend SSL parameter from `ssl_ocsp_stapling` to
`sslocspstapling` to align with other SSL parameters.
2) Documented both the backend parameter `ssl_ocsp_file` and the
frontend parameter `sslocspstapling`.
3
Hello PostgreSQL Hackers,
This proposal suggests implementing OCSP Stapling in PostgreSQL as an
alternative and more efficient method for checking certificate
revocation, aligning with the trend shift from Certificate Revocation
Lists (CRL).
1. benefits
OCSP Stapling offers several advantag
13 matches
Mail list logo
