Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-46729

Make Windows shell soft-fail for unavailable OCSP responder

    XMLWordPrintable

    Details

    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.4, v4.2, v4.0
    • Sprint:
      Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18
    • Case:

      Description

      When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity.

      In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability.

      Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              shreyas.kalyan Shreyas Kalyan
              Reporter:
              spencer.jackson Spencer Jackson
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: