-
Type:
Task
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
None
-
Fully Compatible
-
v4.4, v4.2, v4.0
-
Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18
-
(copied to CRM)
-
None
-
None
-
None
-
None
-
None
-
None
-
None
When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity.
In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability.
Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour.
- depends on
-
SERVER-46633 Windows TLS implementation may declare hostname mismatch on unrelated error
-
- Closed
-