Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CRL support to Prometheus #505

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

RoryKirsi
Copy link

@RoryKirsi RoryKirsi commented Jul 31, 2023

This commit adds support for certificate revocation status by Certificate Revocation List (CRL) in Prometheus.

New fields 'CRL' and 'CRLFile' have been added to the Prometheus config ('tls_config' section). These enable certificate revocation validation with the provided CRL.

The Prometheus loads the Certificate Revocation List (CRL) to validate the revocation status of the peer's certificate chain by invoking the 'verifyPeerCertificate' (https://pkg.go.dev/crypto/tls) function during a TLS handshake.

@roidelapluie Hi, Julien. Please take a look. Thank you.

Ziqi Zhang added 2 commits August 3, 2023 19:32
This commit adds support for certificate revocation status by Certificate
Revocation List (CRL) in Prometheus.

New fields 'CRL' and 'CRLFile' have been added to the Prometheus config
('tls_config' section). These enable certificate revocation validation
with the provided CRL.

The Prometheus loads the Certificate Revocation List (CRL) to validate the
revocation status of the peer's certificate chain by invoking the
'verifyPeerCertificate' (https://pkg.go.dev/crypto/tls) function during
a TLS handshake.

Signed-off-by: Ziqi Zhang <[email protected]>
Move and separate version-sensitive functionalities related to
CRL into two go files within the config package so that it can
build with the corresponding go version.

Signed-off-by: Ziqi Zhang <[email protected]>
@RoryKirsi
Copy link
Author

RoryKirsi commented Sep 26, 2023

@roidelapluie Hi, Julien.
In case you missed my pull request, I tagged you to remind you there is a pull request. Could you help me to review it? Thank you!

@roidelapluie
Copy link
Member

I think that CRL is questionable: the fact we have to implement it ourselve is prone to add security bugs, additionally, there are concerns about CRL in general by the crypto/tls author itsels: https://www.imperialviolet.org/2014/04/19/revchecking.html

What about we implement this when the go team decides to implement it in crypto/tls ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants