[ISSUE] tls_ocsp_from_cert: ignore doesn't ignore database OCSP, undocumented behaviour about acra HOT 4 CLOSED

You did a great job, thank you. You are right, flags tls_[ocsp|crl]_from_cert doesn't override default values of tls_[ocsp|crl]_[client|database]_from_cert, and Acra expects explicit overriding values for both parameters.
And you are right, it is unexpected and not documented behavior. We can update documentation and note that users should set empty values for parameters that have a non-empty default value, or we can set an empty default values (what we didn't do due to following our primary approach of secure by default configuration and using the strictest options by default), or we can update logic of parsing configuration options and ignore default values of not-set parameters and use general one if it set.

And we will choose the last option because it simplifies configuration by specifying only one parameter for all related groups of parameters. We will notify you and close this issue after the fix.
Also, thank you for the feedback about not complete documentation about OCSP/CRL related configuration. We will update the documentation too.

from acra.

📁 acra-issue-615.log

And here are the logs from running it with this configuration (commented out: #tls_ocsp_database_from_cert: ignore)

The problem here is, it works normally once tls_ocsp_database_from_cert: ignore is set (uncommented).
I believe it should work normally just because tls_ocsp_from_cert: ignore is set because that is the documented behaviour.

Lines such as this, do not appear when the setting is uncommented (problem behaviour doesn't happen):
time="2022-12-22T05:09:24Z" level=debug msg="OCSP: appending server http://r3.o.lencr.org, from cert"
In fact, no mention of OCSP appears in the log in this case.

from acra.

The documentation wasn't updated yet. Will close after that.

from acra.

We have updated docs and fixed cli args processing.
Thanks for contribution

from acra.