Polyfill ASN1_TIME comparison for OpenSSL pre 1.1.1

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: OCSP
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      The OCSP cache should replace existing entries with new responses if the new responses have a nextUpdate time greater than the cached response. This is to match the OCSP spec's recommended behavior:

      If a driver would accept a stapled OCSP response and that response has a later nextUpdate than the response already in the cache, drivers SHOULD replace the older entry in the cache with the fresher response.

      To do the time comparison, ASN1_TIME_compare is used, which was added in OpenSSL 1.1.1.

      To support OCSP in older version of OpenSSL, the cache bypasses this comparison. This means in OpenSSL pre-1.1.1 newer responses with a later nextUpdate time will not overwrite existing cache entries.

      This is less desirable, but also does not seem harmful, as cache entries are still removed on expiration.

      See this PR comment for additional context: https://github.com/mongodb/mongo-c-driver/pull/623#discussion_r432192850

              Assignee:
              Unassigned
              Reporter:
              Kevin Albertson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: