Closed chrisgilmerproj closed 4 years ago
@pjdufour-dds @sanjays1 - I think I'm on track with an OCSP implementation for iceberg. But before I wire it up, and while I have a reasonable demo in here, I'd love for you folks to do an initial review. I know its a little rough but I figure now's the best time to look at how I designed this.
One big question: What do I do when the server certificates OCSP response is "revoked"? Would we just throw errors into the logs and hope someone watching their iceberg notices? Would love to know what you think about that.
I've wired up the OCSP stuff to the server. I've got some manual testing left to do to validate this works as expected. I took a fairly naive approach to overriding tls.Config.GetCertificate()
by keeping a version of the certificate in the function. There may be a better way to handle that.
Relates to #16
This PR begins with adding an OCSP example that can be done using OpenSSL commands and verified with Golang. Instructions for usage are in the
README.md
.