Is your feature request related to a problem? Please describe.
We've exposed the configuration needed to have an OCSP response stapled to a TLS request, but we do not handle automating the OCSP response fetched. Currently, a customer would have to manually rotate secrets every time they want to update the OCSP response stapled.
Envoy is currently not capable of fetching OCSP responses directly. However, a control plane or an operator may configure Envoy to use pre-computed OCSP responses.
- guydc, from original issue
Describe the solution you'd like
We'd like to automate the OCSP response fetching process so users won't have to manually do so.
We could do so by adding logic (ex. updating our control plane, and/or creating a service like ext-auth?) which automatically fetches an updated OCSP response every X {time_unit}.
Describe alternatives you've considered
No response
Additional Context
The initial work exposing Envoy's OCSP stapling in Gloo was done in #5605
A design document for the initial Envoy exposure work can be found here - it also slightly touches on the automation portion and what we can look for.
Certificates that produce OCSP responses tend to (/always?) have an Authority Information Access extension which can hold the OCSP server's address. more info
Through Go, we should be able to convert the certificate string stored into an x509.Certificate ( example ) and get the server through certificate.OCSPStaple to then ping for an updated OCSP response.
This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.
Version
None
Is your feature request related to a problem? Please describe.
We've exposed the configuration needed to have an OCSP response stapled to a TLS request, but we do not handle automating the OCSP response fetched. Currently, a customer would have to manually rotate secrets every time they want to update the OCSP response stapled.
- guydc, from original issue
Describe the solution you'd like
We'd like to automate the OCSP response fetching process so users won't have to manually do so.
We could do so by adding logic (ex. updating our control plane, and/or creating a service like ext-auth?) which automatically fetches an updated OCSP response
every X {time_unit}
.Describe alternatives you've considered
No response
Additional Context
Authority Information Access
extension which can hold the OCSP server's address. more infoGo
, we should be able to convert the certificate string stored into anx509.Certificate
( example ) and get the server throughcertificate.OCSPStaple
to then ping for an updated OCSP response.