Closed johanfleury closed 2 years ago
Thank you so much for your contributions and interest in this project @johanfleury, I really appreciate it.
Sorry that I haven't got around to reviewing your PRs yet, I haven't had the time I'd like to dedicate to this project recently. I'm hoping to change that.
On this PR specifically, I think I'm happy to add revocation checking but, as this extends the standard functionality of tls.Config
and makes extra requests, I think it should be optional and opt-in.
I also wonder whether this should be implemented as a metric (as it is here) or as a custom verification function (so that the probe would fail for a revoked certificate). Or both?
What do you think?
Sorry that I haven't got around to reviewing your PRs yet, I haven't had the time I'd like to dedicate to this project recently. I'm hoping to change that.
No worries, we all need to take care of ourselves :)
I think it should be optional and opt-in.
That’s fair, I can add a flag or a module setting for that.
I also wonder whether this should be implemented as a metric (as it is here) or as a custom verification function (so that the probe would fail for a revoked certificate). Or both?
I would rather keep this as a metric that I can alert on rather than just having to rely on a generic “probe failed” alert.
To be honest, this is really a strange use-case and I was not really expecting this PR to be merged anyway :D
As I mentioned in the associated issue, none of the tools I’ve tested (OpenSSL, GnuTLS, Go TLS library, etc.) were impacted by an intermediate cert being revoked, we just happened to have some platforms that were and I was tasked to monitor that.
Closing this as I don’t have the need for this anymore.
This adds a new metric
ssl_revocation_status
for each certificate in every trusted chains. This metrics shows whether the certificate is marked as revoked on OCSP responders or (if available as a fallback) in the CA’s CRL.OSCP response are cached for 6 hours to avoid putting to much load on responders.
Implements #63