Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.4.0-rc5, 4.7.0, 4.2.11, 4.0.22
Affects Version/s: None
Component/s: Security, Shell
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18
Case:
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity.

In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability.

Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour.

depends on

SERVER-46633 Windows TLS implementation may declare hostname mismatch on unrelated error

Closed

Assignee:: Shreyas Kalyan
Reporter:: Spencer Jackson
Participants:: Githook User, Shreyas Kalyan, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Mar 09 2020 07:28:52 PM UTC
Updated:: Oct 29 2023 10:11:04 PM UTC
Resolved:: May 04 2020 08:30:25 PM UTC
Confidence Status Last Update:: 30/Apr/20 11:58 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates