diff --git a/README.rst b/README.rst index 942069cf..04be99c2 100644 --- a/README.rst +++ b/README.rst @@ -362,11 +362,19 @@ Configuring OCSP Checking By default, OCSP (Online Certificate Status Protocol) checking is enabled and is set per PDO connection. -To disable OCSP checking for a PDO connection, set :code:`insecure_mode=true` in the DSN connection string. For example: +To disable OCSP checking for a PDO connection, set :code:`disableocspchecks=true` in the DSN connection string. For example: .. code-block:: php - $dbh = new PDO("snowflake:account=testaccount;insecure_mode=true", "user", "password"); + $dbh = new PDO("snowflake:account=testaccount;disableocspchecks=true", "user", "password"); + +By default, OCSP checking uses fail-open approach. For more details see `Fail-Open or Fail-Close behavior `_. + +To switch to use fail-close approach, set :code:`ocspfailopen=false` in the DSN connection string. For example: + +.. code-block:: php + + $dbh = new PDO("snowflake:account=testaccount;ocspfailopen=false", "user", "password"); Proxy ---------------------------------------------------------------------- diff --git a/php_pdo_snowflake_int.h b/php_pdo_snowflake_int.h index d8f21585..d346ca82 100644 --- a/php_pdo_snowflake_int.h +++ b/php_pdo_snowflake_int.h @@ -101,5 +101,7 @@ enum { #define PDO_SNOWFLAKE_CONN_ATTR_LOGIN_TIMEOUT_IDX 19 #define PDO_SNOWFLAKE_CONN_ATTR_MAX_RETRIES_IDX 20 #define PDO_SNOWFLAKE_CONN_ATTR_RETRY_TIMEOUT_IDX 21 +#define PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX 22 +#define PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX 23 #endif /* PHP_PDO_SNOWFLAKE_INT_H */ diff --git a/snowflake_driver.c b/snowflake_driver.c index 9609bf11..0844efa2 100644 --- a/snowflake_driver.c +++ b/snowflake_driver.c @@ -585,7 +585,9 @@ pdo_snowflake_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{ */ {"includeretryreason", "true", 0}, {"logintimeout", "300", 0}, {"maxhttpretries", "7", 0}, - {"retrytimeout", "300", 0} + {"retrytimeout", "300", 0}, + {"ocspfailopen", "true", 0}, + {"disableocspchecks", "false", 0} }; // Parse the input data parameters @@ -817,6 +819,21 @@ pdo_snowflake_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{ */ "retryimeout: %d", int_attr_value); } + snowflake_set_attribute( + H->server, SF_CON_OCSP_FAIL_OPEN, + (strcasecmp(vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX].optval, "true") == 0) ? + &SF_BOOLEAN_TRUE : &SF_BOOLEAN_FALSE); + PDO_LOG_DBG( + "ocspfailopen: %s", + vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX].optval); + + snowflake_global_set_attribute(SF_GLOBAL_OCSP_CHECK, + (strcasecmp(vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX].optval, "true") == 0) ? + &SF_BOOLEAN_TRUE : &SF_BOOLEAN_FALSE); + PDO_LOG_DBG( + "disableocspchecks: %s", + vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX].optval); + if (snowflake_connect(H->server) > 0) { pdo_snowflake_error(dbh); goto cleanup; diff --git a/tests/connect.phpt b/tests/connect.phpt index cdee3456..e8820281 100644 --- a/tests/connect.phpt +++ b/tests/connect.phpt @@ -9,7 +9,7 @@ pdo_snowflake.cacert=libsnowflakeclient/cacert.pem include __DIR__ . "/common.php"; // full parameters - $dbh = new PDO("$dsn;application=phptest;authenticator=snowflake;priv_key_file=tests/p8test.pem;priv_key_file_pwd=test;disablequerycontext=true;includeretryreason=false;logintimeout=250;maxhttpretries=8;retrytimeout=350", $user, $password); + $dbh = new PDO("$dsn;application=phptest;authenticator=snowflake;priv_key_file=tests/p8test.pem;priv_key_file_pwd=test;disablequerycontext=true;includeretryreason=false;logintimeout=250;maxhttpretries=8;retrytimeout=350;ocspfailopen=false;disableocspchecks=true", $user, $password); // create table for testing autocommit later $tablename = "autocommittest" . rand(); $count = $dbh->exec("create or replace table " . $tablename . "(c1 int)");