[ISSUE] tls_ocsp_from_cert: ignore doesn't ignore database OCSP, undocumented behaviour

[Burrito5152]

Describe the bug

A clear and concise description of what the bug is.

The configuration value tls_ocsp_from_cert: ignore is not working correctly with the database connection. To get the expected behaviour, I had to use an undocumented setting tls_ocsp_database_from_cert: ignore which I guessed from reading the code, not the docs.

My expectation would be for it to be documented here: https://docs.cossacklabs.com/acra/configuring-maintaining/tls/ocsp/

I'm aware of the implications of switching off all these TLS settings and using the same certificate & key for client & server - honestly, I am just trying to get it to work with Python and the asyncpg library, with Cockroach Labs serverless DB which seems to not have OCSP set up as Acra expects it to be (separate bug? I don't know yet.)

To Reproduce My YAML configuration (db_host is censored):

# acra.yml - both encryptor and server config in one file because they don't seem to step on each other.
version: 0.94.0

schemas:
  - table: tbl_auditlog
    columns:
      - dc_entry_id
      - dc_guild
      - stamp
    encrypted:
      - column: dc_user
        searchable: true
      - column: dc_target
        searchable: true
      - column: py_auditlogentry

  - table: t_bot_settings
    columns:
      - ky
    encrypted:
      - column: dc_user
        searchable: true
      - column: json_val

postgresql_enable: true
db_host: "example.cluster.cockroachlabs.cloud"
db_port: 26257

keystore_cache_size: -1
keystore_cache_on_start_enable: false
tls_key: "./keys/opensslKey.key"
tls_cert: "./keys/opensslCertificate.crt"
tls_auth: 0
tls_client_id_from_cert: false
tls_ocsp_required: allowUnknown
tls_ocsp_from_cert: ignore
#tls_ocsp_database_from_cert: ignore
tls_crl_from_cert: ignore
tls_crl_database_from_cert: ignore
#tls_ocsp_url: ""
#tls_ocsp_client_url: ""
#tls_ocsp_database_url: "http://r3.o.lencr.org/ocsp"

My acra-server command: acra-server --config_file=./acra.yml --client_id=dev_acra_client --encryptor_config_storage_type=filesystem --encryptor_config_file=./acra.yml -v -d

My test client (Python):

import asyncio
import asyncpg
import ssl
sslctx1 = ssl.create_default_context(
    ssl.Purpose.SERVER_AUTH,
    cafile="./keys/opensslCertificate.crt"
)
sslctx1.load_cert_chain(
    "./keys/opensslCertificate.crt",
    keyfile="./keys/opensslKey.crt"
)
sslctx1.check_hostname = False
sslctx1.verify_mode = ssl.CERT_NONE

async def maintest(q):
    c = await asyncpg.connect(
                host="0.0.0.0", port=9393, user='user',
                password='qvr Trqnaxra fvaq serv',
                database="dev",
                ssl=sslctx1
    )
    x = await c.fetch(q)
    print(x)
    return x

asyncio.run(maintest("select * from pg_catalog.pg_user;"))

Expected behavior

A clear and concise description of what you expected to happen.

Acra should ignore OCSP URLs on the certificates, on both connections. The problem behaviour only happens when commenting out the tls_ocsp_database_from_cert: ignore line in the acra.yml file and then restarting the Acra server. The expected behaviour happens when it is uncommented.

Acra configuration files

• For AcraServer:
  • [x] configuration file or CLI params that you use to start AcraServer;
  • [x] encryptor_config.yaml if used.

Environment (please complete the following information):

• Acra version: [0.94.0+bullseye on Debian installed with the instructions in the docs]
• Database server and its version: [Cockroach DB Serverless, whatever the current version is (Postgres based)]
• Installed components:
  • [x] AcraServer
  • [ ] AcraTranslator
• Data-in-transit encryption between Acra and the client-side application:
  • [x] TLS
  • [ ] AcraConnector
  • [ ] no transport encryption
• Installation way:
  • [ ] via Docker
  • [x] via package manager

Additional context

Add any other context about the problem here.

Failure debug logs will be attached.

[Burrito5152]

📁 acra-issue-615.log

And here are the logs from running it with this configuration (commented out: #tls_ocsp_database_from_cert: ignore)

The problem here is, it works normally once tls_ocsp_database_from_cert: ignore is set (uncommented). I believe it should work normally just because tls_ocsp_from_cert: ignore is set because that is the documented behaviour.

Lines such as this, do not appear when the setting is uncommented (problem behaviour doesn't happen): time="2022-12-22T05:09:24Z" level=debug msg="OCSP: appending server http://r3.o.lencr.org, from cert" In fact, no mention of OCSP appears in the log in this case.

[Lagovas]

You did a great job, thank you. You are right, flags tls_[ocsp|crl]_from_cert doesn't override default values of tls_[ocsp|crl]_[client|database]_from_cert, and Acra expects explicit overriding values for both parameters. And you are right, it is unexpected and not documented behavior. We can update documentation and note that users should set empty values for parameters that have a non-empty default value, or we can set an empty default values (what we didn't do due to following our primary approach of secure by default configuration and using the strictest options by default), or we can update logic of parsing configuration options and ignore default values of not-set parameters and use general one if it set.

And we will choose the last option because it simplifies configuration by specifying only one parameter for all related groups of parameters. We will notify you and close this issue after the fix. Also, thank you for the feedback about not complete documentation about OCSP/CRL related configuration. We will update the documentation too.

[Lagovas]

The documentation wasn't updated yet. Will close after that.

[Lagovas]

We have updated docs and fixed cli args processing. Thanks for contribution