search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
525 stars 99 forks source link

Report revocation status for every certificate #81

Closed johanfleury closed 2 years ago

johanfleury commented 2 years ago

This adds a new metric ssl_revocation_status for each certificate in every trusted chains. This metrics shows whether the certificate is marked as revoked on OCSP responders or (if available as a fallback) in the CA’s CRL.

OSCP response are cached for 6 hours to avoid putting to much load on responders.

Implements #63

ribbybibby commented 2 years ago

Thank you so much for your contributions and interest in this project @johanfleury, I really appreciate it.

Sorry that I haven't got around to reviewing your PRs yet, I haven't had the time I'd like to dedicate to this project recently. I'm hoping to change that.

On this PR specifically, I think I'm happy to add revocation checking but, as this extends the standard functionality of tls.Config and makes extra requests, I think it should be optional and opt-in.

I also wonder whether this should be implemented as a metric (as it is here) or as a custom verification function (so that the probe would fail for a revoked certificate). Or both?

What do you think?

johanfleury commented 2 years ago

Sorry that I haven't got around to reviewing your PRs yet, I haven't had the time I'd like to dedicate to this project recently. I'm hoping to change that.

No worries, we all need to take care of ourselves :)

I think it should be optional and opt-in.

That’s fair, I can add a flag or a module setting for that.

I also wonder whether this should be implemented as a metric (as it is here) or as a custom verification function (so that the probe would fail for a revoked certificate). Or both?

I would rather keep this as a metric that I can alert on rather than just having to rely on a generic “probe failed” alert.

To be honest, this is really a strange use-case and I was not really expecting this PR to be merged anyway :D

As I mentioned in the associated issue, none of the tools I’ve tested (OpenSSL, GnuTLS, Go TLS library, etc.) were impacted by an intermediate cert being revoked, we just happened to have some platforms that were and I was tasked to monitor that.

johanfleury commented 2 years ago

Closing this as I don’t have the need for this anymore.