On Mon, Sep 2, 2024 at 5:55 AM Daniel Gustafsson wrote:
> I guess they prefer that orgs transition back to just using CRL's.
>From a practical perspective, I don't think anyone but browsers can do
that right now. Best I can tell, there's no CRLite client other than
Firefox, and Google's CRLSets l
> On 15 Aug 2024, at 00:42, Jacob Champion
> wrote:
> It's pretty frustrating to hear about a "transition" when there is
> nothing to transition to.
I guess they prefer that orgs transition back to just using CRL's.
> Anyways, I look forward to seeing how broken my crystal ball is this
> time.
On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson wrote:
>
> While I have only skimmed the patch so far and need more review before I can
> comment on it, I do have a question on the expected use of OCSP support in
> postgres. With OCSP becoming optional [0], and big providers like Let's
> Encryp
Hi Daniel,
Thank you for all the information.
On 2024-08-07 12:20 a.m., Daniel Gustafsson wrote:
While I have only skimmed the patch so far and need more review before I can
comment on it, I do have a question on the expected use of OCSP support in
postgres. With OCSP becoming optional [0], an
While I have only skimmed the patch so far and need more review before I can
comment on it, I do have a question on the expected use of OCSP support in
postgres. With OCSP becoming optional [0], and big providers like Let's
Encrypt deprecating OCSP [1], is this mainly targeting organizations runni
Thanks a lot Jacob for helping update the tests and sorry for the late
reply.
Based on previous discussion, I remove the document patch, and start to
focus on the v1 simple OCSP logic by checking the leaf/Postgres server
certificate's status only
(0001-v1-WIP-OCSP-support-certificate-status-c
On Wed, Jul 17, 2024 at 3:42 PM David Zhang wrote:
> Totally agree. Either Implementing OCSP requests over HTTP, then parsing
> the response and then saving the results to a file, or using an OpenSSL
> client with a cron job to periodically update the file should work.
> Using a cron job would lik
= Design =
It looks like this design relies on the DBA to manually prefetch OCSP
responses for their cert chain, and cache them in the local
ssl_ocsp_file. This is similar to Nginx's ssl_stapling_file directive
[1]. I think this may make sense for a v1 (much less code!), but it's
going to take a
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote:
> This is the third version patch for "Certificate status check using OCSP
> Stapling" with ssl regression test cases added.
Hi David,
Thanks again for working on this! So far I've taken a look at the
design and tests. I've only skimmed the callb
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote:
> Any comments or feedback would be greatly appreciated!
Hi David -- I haven't had time to get to this for the 17 release
cycle, but I'm interested in this feature and I intend to review it at
some point for 18. I think OCSP will be especially hel
Hi Hackers,
This is the third version patch for "Certificate status check using OCSP
Stapling" with ssl regression test cases added.
Here is how I run the ssl regression test:
./configure --enable-tap-tests --with-openssl
make -j
cd src/test/ssl
make sslfiles
make check PG_
Hi Hackers,
This is the 2nd version patch with following updates:
1) Changed the frontend SSL parameter from `ssl_ocsp_stapling` to
`sslocspstapling` to align with other SSL parameters.
2) Documented both the backend parameter `ssl_ocsp_file` and the
frontend parameter `sslocspstapling`.
3
12 matches
Mail list logo
