Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-55122

Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.9.0, 4.4.6
    • Security
    • None
    • Fully Compatible
    • ALL
    • v4.4
    • Security 2021-03-22
    • 10

    Description

      Say that a certificate chain is structured as such:

      server certificate -> intermediate certificate -> self signed root certificate 
      

      When the server is presented with certificates in this fashion:

      tlsCertificateKeyFile: server certificate -> intermediate certificate
      tlsCAFile: self signed root certificate
      

       The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.

      Attachments

        Issue Links

          Activity

            People

              shreyas.kalyan@mongodb.com Shreyas Kalyan
              shreyas.kalyan@mongodb.com Shreyas Kalyan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: