Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-46729

Make Windows shell soft-fail for unavailable OCSP responder

    XMLWordPrintable

Details

    • Fully Compatible
    • v4.4, v4.2, v4.0
    • Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18

    Description

      When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity.

      In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability.

      Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour.

      Attachments

        Issue Links

          Activity

            People

              shreyas.kalyan@mongodb.com Shreyas Kalyan
              spencer.jackson@mongodb.com Spencer Jackson
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: