Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.9.0, 4.4.6
Affects Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.4
Sprint:
Security 2021-03-22
Linked BF Score:
10
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Say that a certificate chain is structured as such:

server certificate -> intermediate certificate -> self signed root certificate

When the server is presented with certificates in this fashion:

tlsCertificateKeyFile: server certificate -> intermediate certificate
tlsCAFile: self signed root certificate

The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.

is duplicated by

SERVER-55074 Add warning message to OCSP Fetcher when it is unable to staple a response

Closed

Assignee:: Shreyas Kalyan
Reporter:: Shreyas Kalyan
Participants:: Githook User, Shreyas Kalyan
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Mar 10 2021 05:51:51 PM UTC
Updated:: Oct 29 2023 09:56:26 PM UTC
Resolved:: Mar 21 2021 03:18:46 AM UTC
Confidence Status Last Update:: 17/Mar/21 4:50 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates