Backport of Support OCSP responses without NextUpdate field set into release/1.16.x #26023
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
github-actions
bot
added
the
hashicorp-contributed-pr
|
CI Results: |
* Support OCSP responses without a NextUpdate value set - Validate that the ThisUpdate value is properly prior to our current time and if NextUpdate is set that, ThisUpdate is before NextUpdate. - If we don't have a value for NextUpdate just compare against ThisUpdate. * Add ocsp_this_update_max_ttl support to cert auth - Allow configuring a maximum TTL of the OCSP response based on the ThisUpdate time like OpenSSL does - Add test to validate that we don't cache OCSP responses with no NextUpdate * Add cl * Add missing ` in docs * Rename ocsp_this_update_max_ttl to ocsp_this_update_max_age * Missed a few TTL references * Fix error message
stevendpclark
force-pushed
the
backport/stevendpclark/vault-24614-ocsp-no-nextupdate/uniquely-outgoing-goshawk
branch
from
18d39c1 to
5009d77
Compare
stevendpclark
approved these changes
Mar 19, 2024
|
Build Results: |
stevendpclark
deleted the
backport/stevendpclark/vault-24614-ocsp-no-nextupdate/uniquely-outgoing-goshawk
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #25912 to be assessed for backporting due to the inclusion of the label backport/1.16.x.
🚨
The person who merged in the original PR is:
@stevendpclark
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Support OCSP responses without a NextUpdate value set within cert-auth OCSP verification. Responses without a NextUpdate value are allowed based on RFC6960 Section 4.2.2.1
Previous to this fix, if OCSP checks were enabled and an OCSP response didn't contain a NextUpdate value, cert auth logins would fail with a message similar to
Now OCSP responses without a NextUpdate field set will be allowed, the response will not be cached, as mentioned in the RFC, a lack of a NextUpdate field means there is newer revocation information available all the time.
Additional checks that the ThisUpdate field does contain a proper timestamp and is before then the current time have also been added within the list of verifications performed for us to trust an OCSP response.
A new cert auth configuration has been introduced called
ocsp_this_update_max_ttl, with a default of 0. If this field is greater than 0, cert-auth will enforce an OCSP response's ThisUpdate field is less than the configured value. This can be used to avoid accepting older OCSP response values based on policies. We have avoided enforcing this by default for backwards compatibility reasons.Overview of commits