common icon indicating copy to clipboard operation
common copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Add CRL support to Prometheus

Open RoryKirsi opened this issue 1 year ago • 2 comments

This commit adds support for certificate revocation status by Certificate Revocation List (CRL) in Prometheus.

New fields 'CRL' and 'CRLFile' have been added to the Prometheus config ('tls_config' section). These enable certificate revocation validation with the provided CRL.

The Prometheus loads the Certificate Revocation List (CRL) to validate the revocation status of the peer's certificate chain by invoking the 'verifyPeerCertificate' (https://pkg.go.dev/crypto/tls) function during a TLS handshake.

@roidelapluie Hi, Julien. Please take a look. Thank you.

RoryKirsi avatar Jul 31 '23 06:07 RoryKirsi

@roidelapluie Hi, Julien. In case you missed my pull request, I tagged you to remind you there is a pull request. Could you help me to review it? Thank you!

RoryKirsi avatar Sep 26 '23 04:09 RoryKirsi

I think that CRL is questionable: the fact we have to implement it ourselve is prone to add security bugs, additionally, there are concerns about CRL in general by the crypto/tls author itsels: https://www.imperialviolet.org/2014/04/19/revchecking.html

What about we implement this when the go team decides to implement it in crypto/tls ?

roidelapluie avatar Sep 26 '23 10:09 roidelapluie