Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:
These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience.
These logs have been showing for a while. They go back as far as
I can reproduce this locally by running the client side encryption tests when building against OpenSSL.
CDRIVER-3668 caused a regression, but checking out prior commits shows the same behavior.
Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header.
Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment.