Only when the SSLMode is set to Verify-Full, the connector can support Online Certificate Status Protocol (OCSP) and OCSP Stapling. This includes caching of OCSP Responses for improved performance.
During connection, if the driver receives stapling certificate status from the Teradata Database Gateway and sends an OCSP request to the Certificate Authority (CA) to query for the certificate status for each of the intermediate certificates. The driver would retrieve the OCSP URI from the certificate, then it connects to OCSP Responder and sends OCSP requests to the CA to query if the intermediate certificates are expired or not. OCSP can be enabled by setting SSLOCSP=ON and it can disabled by setting SSLOCSP=OFF, by default SSLOCSP is set to ON.
OCSP Caching
Instead of sending OCSP requests to the CA for every connection, if a previous connection cached the OCSP response, then driver does not need send OCSP requests to CA again, instead, it just reads the response from cache which improves performance.
CRL (Certificate Revocation List)
Only when the SSLMode is set to Verify-Full, the connector can support Certificate Revocation List (CRL). During connection, the driver can retrieve a Certificate Revocation List (CRL), it will parse it and check if any of the intermediate certificates match. If it does match, it indicates the certificate is revoked, then the connection would return an error and not be established. CRL checking can be enabled by setting SSLCRL=ON and disabled by setting SSLCRL=OFF, by default SSLCRL is set to ON.
OCSP Caching
Connections will cache the certificate revocation list (CRL).
This is done so that instead of requesting and downloading a CRL from the CA for every connection, a previous connection’s cached CRL response will be used for improved performance.
Connection Properties Used for OCSP, OCSP Stapling and CRL
You can change these settings through the Windows UI, Mac UI or through the connection keyword either as a connection string parameter or through the ODBC DSN entry.
- SSLCRC : stands for SSL Certificate Revocation Check, it has {Allow, Require}, default value is Allow
- When SSLCRC is set to ALLOW, the Driver would still establish the connection if the certificate status is Good, Unknown, TryLater, InternalError or even OCSP URIs cannot be reached.
- Driver does not establish a connection when the certificate status is REVOKED, this applies to both Allow and Require mode.
- When SSLCRC is set to Require, the connector would establish a connection only if the certificate status is Good, or would fail otherwise
- When SSLCRC is set to Allow, if certificate status is revoked, not establish the connection
- When SSLCRC is set to Allow, if certificate status is good, unknown, TryLater, InternalError or OCSP URI cannot be reached, establish the connection.
- SSLCRCTimeout: SSLCRCTimeout applies to the whole SSL Certificate Revocation Check (SSLCRC), if the SSLCRC timer is expired, timeout error is thrown. Default value is 10 (seconds).
- SSLOCSP: To enable OCSP, set SSLOCSP=ON, by default is ON, user can disable OCSP by setting SSLOCSP=OFF
- SSLCRL: To enable CRL, set SSLCRL=ON, by default is ON, user can disable CRL by setting SSLCRL to OFF
- SSLCRC cannot be disabled by setting both SSLOCSP and SSLCRL to OFF. At least one of SSLOCSP and SSLCRL must be set to ON. If both SSLOCSP and SSLCRL are set to OFF, TDCRCDisableError error will be thrown.