Part of implementing OCSP certificate revocation is to enable soft-fail behavior when an OCSP responder cannot be reached. The OCSP spec recommends continuing connection:
This means that the driver SHOULD default to “soft fail” behavior, connecting as long as there are no explicitly invalid certificates—i.e. the driver will connect even if the status of all the unvalidated certificates has not been confirmed yet (e.g. because an OCSP responder is down).
OpenSSL, libtls, and Secure Transport all exhibit soft-fail behavior. This ticket is to make Secure Channel consistent with the other TLS implementations.
In addition, by default, Secure Channel considers a certificate with no revocation information (a CRL distribution point, OCSP stapled response, or OCSP authorized responders list) invalid.
Even testing with the ca.pem and server.pem certificates in x509gen fails certificate validation by default: https://github.com/mongodb/mongo-c-driver/tree/master/src/libmongoc/tests/x509gen The only reason the "-ssl" tests with secure channel have been passing is because the test runner currently enables weak certification validation (see
CDRIVER-3579). I worry that users may be using tlsAllowInvalidHostnames to bypass this error, when they really only need to disable the error due to the certificate not having revocation information.
Note, the shell is using CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS to enable soft-failing behavior. And the shell ignores errors of peer certificates with no revocation information by checking CRYPT_E_NO_REVOCATION_CHECK.