Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-09-03 Thread Jacob Champion
On Mon, Sep 2, 2024 at 5:55 AM Daniel Gustafsson wrote: > I guess they prefer that orgs transition back to just using CRL's. >From a practical perspective, I don't think anyone but browsers can do that right now. Best I can tell, there's no CRLite client other than Firefox, and Google's CRLSets l

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-09-02 Thread Daniel Gustafsson
> On 15 Aug 2024, at 00:42, Jacob Champion > wrote: > It's pretty frustrating to hear about a "transition" when there is > nothing to transition to. I guess they prefer that orgs transition back to just using CRL's. > Anyways, I look forward to seeing how broken my crystal ball is this > time.

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-08-14 Thread Jacob Champion
On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson wrote: > > While I have only skimmed the patch so far and need more review before I can > comment on it, I do have a question on the expected use of OCSP support in > postgres. With OCSP becoming optional [0], and big providers like Let's > Encryp

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-08-07 Thread David Zhang
Hi Daniel, Thank you for all the information. On 2024-08-07 12:20 a.m., Daniel Gustafsson wrote: While I have only skimmed the patch so far and need more review before I can comment on it, I do have a question on the expected use of OCSP support in postgres. With OCSP becoming optional [0], an

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-08-07 Thread Daniel Gustafsson
While I have only skimmed the patch so far and need more review before I can comment on it, I do have a question on the expected use of OCSP support in postgres. With OCSP becoming optional [0], and big providers like Let's Encrypt deprecating OCSP [1], is this mainly targeting organizations runni

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-08-06 Thread David Zhang
Thanks a lot Jacob for helping update the tests and sorry for the late reply. Based on previous discussion, I remove the document patch, and start to focus on the v1 simple OCSP logic by checking the leaf/Postgres server certificate's status only (0001-v1-WIP-OCSP-support-certificate-status-c

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-07-18 Thread Jacob Champion
On Wed, Jul 17, 2024 at 3:42 PM David Zhang wrote: > Totally agree. Either Implementing OCSP requests over HTTP, then parsing > the response and then saving the results to a file, or using an OpenSSL > client with a cron job to periodically update the file should work. > Using a cron job would lik

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-07-17 Thread David Zhang
= Design = It looks like this design relies on the DBA to manually prefetch OCSP responses for their cert chain, and cache them in the local ssl_ocsp_file. This is similar to Nginx's ssl_stapling_file directive [1]. I think this may make sense for a v1 (much less code!), but it's going to take a

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-07-15 Thread Jacob Champion
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote: > This is the third version patch for "Certificate status check using OCSP > Stapling" with ssl regression test cases added. Hi David, Thanks again for working on this! So far I've taken a look at the design and tests. I've only skimmed the callb

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-03-22 Thread Jacob Champion
On Tue, Mar 5, 2024 at 4:12 PM David Zhang wrote: > Any comments or feedback would be greatly appreciated! Hi David -- I haven't had time to get to this for the 17 release cycle, but I'm interested in this feature and I intend to review it at some point for 18. I think OCSP will be especially hel

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-03-05 Thread David Zhang
Hi Hackers, This is the third version patch for "Certificate status check using OCSP Stapling" with ssl regression test cases added. Here is how I run the ssl regression test:     ./configure --enable-tap-tests --with-openssl     make -j     cd src/test/ssl     make sslfiles     make check PG_

Re: Proposal for implementing OCSP Stapling in PostgreSQL

2024-02-23 Thread David Zhang
Hi Hackers, This is the 2nd version patch with following updates: 1) Changed the frontend SSL parameter from `ssl_ocsp_stapling` to `sslocspstapling` to align with other SSL parameters. 2) Documented both the backend parameter `ssl_ocsp_file` and the frontend parameter `sslocspstapling`. 3