Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3734

OCSP requests with OpenSSL do not include Host header

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.17.0-rc0, 1.17.0
    • Affects Version/s: None
    • Component/s: None
    • Labels:

      Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:

      [2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Could not perform an OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error
      [2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached

      These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience.

      These logs have been showing for a while. They go back as far as CDRIVER-3668:

      I can reproduce this locally by running the client side encryption tests when building against OpenSSL.

      > ./cmake-build/src/libmongoc/test-libmongoc --no-fork -d -l /client_side_encryption/distinct
      Begin /client_side_encryption/distinct, seed 1569892307
        - distinct with deterministic encryption
      2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Could not send OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:parse_http_line1:server response error
      2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached
        - Distinct fails when filtering on a random encrypted field
          { "status": "pass", "test_file": "/client_side_encryption/distinct", "seed": "1569892307", "start": 608.732156, "end": 609.732042, "elapsed": 0.999886  }

      I suspected CDRIVER-3668 caused a regression, but checking out prior commits shows the same behavior.

      Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header.

      Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment.

            kevin.albertson@mongodb.com Kevin Albertson
            kevin.albertson@mongodb.com Kevin Albertson
            0 Vote for this issue
            1 Start watching this issue