SNOW-1540431: Panic on OCSP failure with disabled OCSP cache

[adesso-os]

Please answer these questions before submitting your issue. In order to accurately debug the issue this information is required. Thanks!

The system is running in such a high level of isolation that it's not trivial to get all the details. Stack trace is pointing to https://github.com/snowflakedb/gosnowflake/blob/06ec38e9e1c6881405e4b4073f288602ada8c3ba/connection.go#L772

1. What version of GO driver are you using? 1.10

2. What operating system and processor architecture are you using? Linux amd64

3. What version of GO are you using? Whatever Terraform uses.

4. Server version:* E.g. 1.90.1 You may get the server version by running a query:

   SELECT CURRENT_VERSION();

5. What did you do?

   1. Tried to establish a connection to a Snowflake instance that is located behind an AWS PrivateLink.
   2. Due to port 80 being blocked on this network path, OCSP fails.
   3. Disabled OCSP caching by setting SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED to "false".
   4. Next time the connection is attempted, OCSP check fails. Snowflake SDK will then try to persist this failure into the cache, which is uninitialized. Result = Panic

6. What did you expect to see?

A regular error/failure.

7. Can you set logging to DEBUG and collect the logs?

No

8. What is your Snowflake account identifier, if any? (Optional)

[sfc-gh-dszmolka]

hi and thank you for raising this issue with us ! will take a look

[sfc-gh-dszmolka]

also while we're looking; if this is a super urgent and breaking issue for you, you can try

• gosnowflake: insecureMode=true
• Snowflake Terraform Provider: insecure_mode or envvar SNOWFLAKE_INSECURE_MODE to turn off OCSP entirely temporarily

[sfc-gh-dszmolka]

the issue seems to be reproducible even on an environment where port 80 is open, just by simply applying the envvar you mentioned

SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED=false go run cmd/select1/select1.go

instantly causes a panic when the driver tries to build the connection. we'll take a look and fix it.

in the meantime, if you check SYSTEM$ALLOWLIST_PRIVATELINK() output and configure OCSP_CACHE and OCSP_CACHE_REGIONLESS to both point to your VPC Endpoint then you don't need to allow port 80 to any direction which is on the public internet and can avoid using SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED

alternatively, as recommended you can temporarily set insecureMode but it's not recommended to keep it on for a long term.

thank you for drawing our attention to this problem!

[sfc-gh-dszmolka]

fixed with https://github.com/snowflakedb/gosnowflake/pull/1181 edit: fix is merged in the meantime so now we're awaiting the next release to roll out with the fix

[adesso-os]

Awesome! Thanks for the quick work. I really appreciate it!

[sfc-gh-dszmolka]

released with gosnowflake v1.11.0 in July 2024