'Client and Server certificate validation in Snowflake

Hi experts could anyone explain how Client certificate and Server certificate validation work in Snowflake? I am confused what OCSP actually does in each flow.

snowflake-cloud-data-platform


Solution 1:[1]

More details: https://docs.snowflake.com/en/user-guide/ocsp.html#ocsp-overview

Summary: OCSP is an industry standard that is meant to run over Port 80. Snowflake uses Online Certificate Status Protocol (OCSP) to provide maximum security to determine whether a certificate is revoked when Snowflake clients attempt to connect to an endpoint through HTTPS.

Snowflake uses OCSP to evaluate each certificate in the chain of trust, up to the intermediate certificate and the root certificate authority (CA) issues. Ensuring that each certificate is not revoked helps Snowflake to establish secure connections with trusted actors during the identity verification process.

Why OCSP use Port 80?

Port 443 is primarily used for HTTPS (HTTP over SSL/TLS). Certificates are inherent to secure TLS connection and hence certificate revocation check too would be inherent to TLS. OCSP is a standard meant for performing certificate revocation checks. Running OCSP checks over port 443 can mean two things:

  1. OCSP traffic is encapsulated within TLS traffic but then since TLS needs certificate revocation and OCSP is meant for Certificate Revocation check, there is no way to perform revocation check for OCSP.

  2. A potential proxy TLS service that proxies OCSP traffic to the right OCSP server. Client to proxy connection on port 443 and proxy to OCSP Server connection on port 80. This however would not change the security scenario in any way since there would still be a client reaching out to port 80.

The OCSP Servers running on Port 80 are not run by Snowflake. These are run by the Certificate Authorities that are beyond our control. This is also a standard.

The point to note here is, opening Port 80 with strict whitelisting is reasonably secure as there is full control over what goes on in that Port.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 FKayani

Related Questions

HHH000339: Could not obtain connection metadata net.snowflake.client.jdbc.SnowflakeLoggedFeatureNotSupportedException

Easter / Good Friday for Sowflake Date Dim

How to Connect with Dbeaver on Snowflake (DUO Push)

OperationalError: 250003: Failed to get the response. Hanging? method: post

How to parse the following JSON to retrieve the name of the item in snowflake sql?

converting string to date using TO_DATE for MM/DD/YY gives wrong values for dates before 1970 [snowflake-cloud-data-platform]

Execute Multiple SQL Insert Statements in parallel in Snowflake

Unpivot multiple columns in Snowflake

Translating an Excel concept into SQL

Error while working on Automation Grant Access to database views / tables in snowflake schema

Why isn't snowsql opening an external browser?

Snowpark connection errors with 0.6.0 jar

Snowflake-Jitterbit Connector Error: net.snowflake.client.jdbc.SnowflakeSQLException: No active warehouse selected in the current session

How to delete Duplicate records in snowflake database table

How to get count of tables present in a particular schema in snowflake?