[SERVER-46729] Make Windows shell soft-fail for unavailable OCSP responder - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.4.0-rc5, 4.7.0, 4.2.11, 4.0.22
Component/s: Security, Shell
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18
Case:

Description

When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity.

In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability.

Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour.

Attachments

Issue Links

depends on

SERVER-46633 Windows TLS implementation may declare hostname mismatch on unrelated error

Closed

Activity

People

Assignee:: Shreyas Kalyan

Reporter:: Spencer Jackson

Participants:: Githook User, Shreyas Kalyan, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: Mar 09 2020 07:28:52 PM UTC

Updated:: Feb 02 2021 02:46:46 PM UTC

Resolved:: May 04 2020 08:30:25 PM UTC