OCSP 配置¶

本主题概述了 OCSP、其在 Snowflake 中的用途，以及帮助诊断 OCSP 问题的信息。

概述

Snowflake 使用在线证书状态协议 (OCSP) 来提供最大的安全性，以确定当 Snowflake 客户端尝试通过 HTTPS 连接到端点时是否会吊销证书。

在根证书颁发机构 (CA) 颁发中间证书之前，Snowflake 使用 OCSP 评估信任链中的每个证书。确保不会吊销每个证书有助于 Snowflake 在身份验证过程中与受信任的参与者建立安全连接。

根据您的客户端或驱动程序版本以及本页描述的配置，可以关闭 OCSP 并调整 OCSP 确定吊销证书时发生的操作。

故障打开或故障关闭行为

目前，在 OCSP 事件期间，就 Snowflake 客户端或驱动程序响应方面，用户可以选择两种行为中的任何一种。

故障打开
故障关闭

故障打开

Snowflake supports a fail-open approach by default in terms of evaluating the OCSP CA response. The fail-open approach has the following characteristics:

指示吊销证书的响应会导致连接失败。

A response with any other certificate errors or statuses allows the connection to occur, but denotes the message in the logs at the WARNING level with the relevant details in JSON format.

用户可以监控特定驱动程序或连接器的日志，以确定故障打开日志事件的频率。

These event logs can be combined with the Snowflake Status Page (https://status.snowflake.com) to determine the best course of action, such as temporarily restricting client access or pivoting to fail-close behavior.

目前，故障打开默认方法适用于以下客户端和驱动程序版本。

Client / Driver	Version
SnowSQL	v1.1.79 or later
Python Connector	v1.8.0 or later
JDBC Driver	v3.8.0 or later
ODBC Driver	v2.19.0 or later
SQL Alchemy	Upgrade Python Connector to v1.8.0 or later
Spark	v2.4.14 or later if using Maven or SBT to build the Spark application. JDBC v3.8.0 or later if attaching JAR files to Spark cluster. Request Databricks to upgrade their Spark connector if using the Databricks built-in Spark connector.
Go Driver	v1.2.0 or later
Node.js	v1.2.0 or later

Note

Snowflake 不支持 .NET 驱动程序的 OCSP 检查。相反，.NET 使用自己的框架来检查 HTTPS 证书的有效性。

故障关闭

故障关闭行为对于解释 OCSP CA 响应具有更大的限制。出于任何原因，如果客户端或驱动程序没有收到有效的 OCSP CA 响应，则连接失败。

由于此行为不是基于故障打开部分中列出的版本的默认行为，因此必须在每个驱动程序或连接器中手动配置故障关闭。

To preserve the fail-close behavior, set the corresponding ocsp_fail_open parameter to false.

Client / Driver	Setting
SnowSQL	`snowsql -o ocsp_fail_open=false`
Python Connector	For details, see Choosing fail-open or fail-close mode in the Python Connector documentation.
JDBC Driver	For details, see Choosing fail-open or fail-close mode in the JDBC Driver documentation.
ODBC Driver	Choose one of the following: Set the connection parameter to `OCSP_FAIL_OPEN=false` Use the environment variable $SIMBAINI to locate the corresponding file. Then set `OCSPFailOpen=false`
SQL Alchemy	See JDBC Driver settings
Spark	The Spark Connector does not have an `ocsp_fail_open` parameter. Fail-close can only be preserved with Spark if using the JDBC driver.
Go Driver	Do either of the following: - Set the connection parameter `OCSPFailOpen` in Config to `ocspFailOpenTrue` or `ocspFailOpenFalse`, for example: `import ( ... sf "github.com/snowflakedb/gosnowflake ... ")` `config: &Config{ Account: "xy12345", ..., OCSPFailOpen: sf.ocspFailOpenFalse, ... }` - Set the `ocspFailOpen` connection parameter in the connect string to `true` or `false`, for example, `user:pass@account/db/s?ocspFailOpen=false`. Note the differences in case (uppercase / lowercase). For more information on Go connection parameters, see the GoDoc gosnowflake documentation (https://godoc.org/github.com/snowflakedb/gosnowflake).
Node.js	Set the global parameter `ocspFailOpen=false`. For details, see Node.js options reference.

旧版客户端和驱动程序版本

如果您的客户端或驱动程序版本早于故障打开部分中列出的版本，则无法选择故障打开行为。因此，故障关闭行为是默认的。

使用与 OCSP 相关的旧版客户端和驱动程序版本的 Snowflake 部署具有三个选项：

将他们的客户端或驱动程序升级到最新版本（最佳选项）。
继续使用故障关闭行为。
Turn off OCSP monitoring as described in this Knowledge Base article (https://community.snowflake.com/s/article/How-to-turn-off-OCSP-checking-in-Snowflake-client-drivers) (in the Snowflake Community).

最佳实践

为了降低风险，Snowflake 建议采用以下最佳实践来确保通信安全。

使用与 Snowflake 服务的专用连接并阻止对 Snowflake 的公共访问。
仅允许客户端驱动程序在托管桌面和服务器上运行。
将客户端驱动程序日志发送到管理系统或上传到 Snowflake。监控未进行 OCSP 检查的连接。

Note

Support for private connectivity to the Snowflake service requires Business Critical (or higher). To inquire about upgrading, please contact Snowflake Support.

Snowflake 使用的 CA 站点和 OCSP 响应器主机¶

You can call the SYSTEM$ALLOWLIST or SYSTEM$ALLOWLIST_PRIVATELINK function in your Snowflake account to get the hosts Snowflake uses for OCSP verification checks. The host values are unique to the cloud platform and region where your Snowflake account exists. The reasons for the different host values are based on the CA that the cloud platform uses and when the certificates are updated or renewed.

例如：

SELECT t.VALUE:type::VARCHAR as type,
  t.VALUE:host::VARCHAR as host,
  t.VALUE:port as port
FROM TABLE(FLATTEN(input => PARSE_JSON(SYSTEM$ALLOWLIST_PRIVATELINK()))) AS t
WHERE type ILIKE ANY ('OCSP%');

+-----------------------+---------------------------------------------------------------+------+
| TYPE                  | HOST                                                          | PORT |
|-----------------------+---------------------------------------------------------------+------|
| OCSP_CACHE            | ocsp.account1234.us-west-2.privatelink.snowflakecomputing.cn | 80   |
| OCSP_CACHE_REGIONLESS | ocsp.my_org-my_account.privatelink.snowflakecomputing.cn     | 80   |
+-----------------------+---------------------------------------------------------------+------+

OCSP 认证检查需要端口 80¶

All communication with Snowflake happens using port 443. However, OCSP certification checks are transmitted over port 80. If your workstation is behind a firewall, make sure that the network administrator for your organization has opened the firewall to traffic on ports 443 and 80.