Revoking client certificates in telegraf (influxdb_listener)


I am using telegraf with the influxdb_listener plugin to act as a secure reverse proxy that writes incoming data both to Influxdb (v2) and kapacitor (as per “Stream-style TICKscripts” in InfluxDB OSS 2.0 General Availability Roadmap ) to be able to continue to use streaming tick-scripts after upgrade to influxdbv2.

To improve the security of the solution, I have enabled mutual TLS according to the influxdb_listener documentation, which seems to work fine.

But in the event of an edge device being compromised, I would like the ability to revoke individual client certificates. I could not find out how to do this in the documentation.

Has anyone got this working, or know if this is not a supported feature?

Sven Rebhan on slack informed me that revoking client certificates is currently not supported in telegraf (Slack), but a PR for such a feature would probably be welcomed.

Implementing this will probably require changing the common tls config. Inspiration of how to do the implementation can be found in cloudflares CRL handling in CFSSL as found by Lorenz L. on stackoverflow: How can I verify client certificates against a CRL in Golang?