[SERVER-60310] OCSP response validation should not consider statuses of irrelevant certificates - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.2.0, 5.1.2, 5.0.6, 4.4.11
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v5.1, v5.0, v4.4
Sprint:
Security 2021-11-15, Security 2021-11-29, Security 2021-12-13
Case:

Description

When an OCSP responder is queried, it may elect to disclose the statuses of more certificates than were initially requested. These certificates may or may not be revoked. If we attempt to validate an OCSP response, and observe one or more revoked statuses for unsolicited certificate we should ignore them if (and only if) they are irrelevant for the chain we are attempting to validate.

Otherwise, we may fail to validate a valid chain.

Attachments

Activity

People

Assignee:: Erwin Pe

Reporter:: Spencer Jackson

Participants:: Erwin Pe, Githook User, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: Sep 29 2021 03:28:06 PM UTC

Updated:: Dec 06 2021 09:51:55 PM UTC

Resolved:: Dec 03 2021 12:07:52 AM UTC