Closed Burrito5152 closed 1 year ago
And here are the logs from running it with this configuration (commented out: #tls_ocsp_database_from_cert: ignore
)
The problem here is, it works normally once tls_ocsp_database_from_cert: ignore
is set (uncommented).
I believe it should work normally just because tls_ocsp_from_cert: ignore
is set because that is the documented behaviour.
Lines such as this, do not appear when the setting is uncommented (problem behaviour doesn't happen):
time="2022-12-22T05:09:24Z" level=debug msg="OCSP: appending server http://r3.o.lencr.org, from cert"
In fact, no mention of OCSP appears in the log in this case.
You did a great job, thank you. You are right, flags tls_[ocsp|crl]_from_cert
doesn't override default values of tls_[ocsp|crl]_[client|database]_from_cert
, and Acra expects explicit overriding values for both parameters.
And you are right, it is unexpected and not documented behavior. We can update documentation and note that users should set empty values for parameters that have a non-empty default value, or we can set an empty default values (what we didn't do due to following our primary approach of secure by default configuration and using the strictest options by default), or we can update logic of parsing configuration options and ignore default values of not-set parameters and use general one if it set.
And we will choose the last option because it simplifies configuration by specifying only one parameter for all related groups of parameters. We will notify you and close this issue after the fix. Also, thank you for the feedback about not complete documentation about OCSP/CRL related configuration. We will update the documentation too.
The documentation wasn't updated yet. Will close after that.
We have updated docs and fixed cli args processing. Thanks for contribution
Describe the bug
The configuration value
tls_ocsp_from_cert: ignore
is not working correctly with the database connection. To get the expected behaviour, I had to use an undocumented settingtls_ocsp_database_from_cert: ignore
which I guessed from reading the code, not the docs.My expectation would be for it to be documented here: https://docs.cossacklabs.com/acra/configuring-maintaining/tls/ocsp/
I'm aware of the implications of switching off all these TLS settings and using the same certificate & key for client & server - honestly, I am just trying to get it to work with Python and the
asyncpg
library, with Cockroach Labs serverless DB which seems to not have OCSP set up as Acra expects it to be (separate bug? I don't know yet.)To Reproduce My YAML configuration (
db_host
is censored):My acra-server command:
acra-server --config_file=./acra.yml --client_id=dev_acra_client --encryptor_config_storage_type=filesystem --encryptor_config_file=./acra.yml -v -d
My test client (Python):
Expected behavior
Acra should ignore OCSP URLs on the certificates, on both connections. The problem behaviour only happens when commenting out the
tls_ocsp_database_from_cert: ignore
line in the acra.yml file and then restarting the Acra server. The expected behaviour happens when it is uncommented.Acra configuration files
encryptor_config.yaml
if used.Environment (please complete the following information):
Additional context
Failure debug logs will be attached.