Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-55122

Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.9.0, 4.4.6
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • v4.4
    • Security 2021-03-22
    • 10

      Say that a certificate chain is structured as such:

      server certificate -> intermediate certificate -> self signed root certificate 
      

      When the server is presented with certificates in this fashion:

      tlsCertificateKeyFile: server certificate -> intermediate certificate
      tlsCAFile: self signed root certificate
      

       The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.

            Assignee:
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Reporter:
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: