Open johanfleury opened 3 years ago
The ssl_exporter currently relies on the verification performed by the crypto/x509
and crypto/tls
packages. Seems to me like they're beginning to work on it upstream:
So my inclination is to wait to see what happens there.
Thanks for the heads up. In the mean time I created a branch with a PoC that fits my needs.
This introduce a new metric called ssl_revocation_status
that is computed for each leaf or intermediate certificates in VerifiedChains by requesting OCSP status or (as a fallback) by checking the CRL status:
$ curl 'http://127.0.0.1:9219/probe?module=https&target=https://arcaik.net'
[SNIPPED]
# HELP ssl_revocation_status OCSP or CRL revocation status for the certificate (0=Good 1=Revoked 2=Unknown)
# TYPE ssl_revocation_status gauge
ssl_revocation_status{chain_no="0",cn="R3",dnsnames="",emails="",ips="",issuer_cn="DST Root CA X3",ou="",serial_no="85078157426496920958827089468591623647"} 0
ssl_revocation_status{chain_no="0",cn="arcaik.net",dnsnames=",arcaik.net,",emails="",ips="",issuer_cn="R3",ou="",serial_no="414026126493887045299805532731746967018627"} 0
[SNIPPED]
Let me know if you would accept a PR with such a change. I know it could be cleaned up bit and collectRevocationMetrics
could be merged with collectVerifiedChainMetrics
, but I wanted to keep it separated while this stays a fork.
I’ve opened a PR (#81) with the code we’re using in production for a while at my job.
I’d be honest, this is far from useful on a daily basis (tho It might still help preventing some issues in the future if a CA revokes one of it’s intermediate certificate like GlobalSign did), so I’d understand if don’t want to add this feature into ssl_exporter.
Hi
GlobalSign is currently revoking some of their intermediate CA certificates and I found out that ssl_exporter still considers a certificate issued by one of these intermediate CA to be valid.
To be fair, OpenSSL and GNU TLS both consider such cert as valid too:
However, some clients fails to validate this certificate and an OCSP request for the intermediate CA certificate shows that it is actually revoked:
Do you think it would be possible to implement OCSP verification on every certificate in the chain returned by the TLS server?