Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-55122

Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.9.0, 4.4.6
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.4
    • Sprint:
      Security 2021-03-22

      Description

      Say that a certificate chain is structured as such:

      server certificate -> intermediate certificate -> self signed root certificate 
      

      When the server is presented with certificates in this fashion:

      tlsCertificateKeyFile: server certificate -> intermediate certificate
      tlsCAFile: self signed root certificate
      

       The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              shreyas.kalyan Shreyas Kalyan
              Reporter:
              shreyas.kalyan Shreyas Kalyan
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: