Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-84645

OCSP stapling log messages should indicate response validity

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security

    Description

      After an OCSP response acquisition attempt, several events might have occurred:

      • A network error
      • One or more responder errors
      • A response which failed signature validation
      • A response which failed to meet policy
      • A response which indicates the subject certificate was revoked
      • A response which indicates the subject certificate was valid

      There are probably a few other edge cases. Currently, the main OCSP stapling loop dispatches requests, then logs message 577163 which includes the Status of acquisition and validation. It doesn't report anything about what was observed in the response, meaning that both valid and revoked responses are reported with Status::OK. This is misleading, and can confuse administrators trying to debug revoked responses.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: