Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-93207

SSLManagerInterface needs better way to stop the OCSP fetcher periodic job

    • Type: Icon: Task Task
    • Resolution: Won't Do
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • Security 2024-08-19, Security 2024-09-02
    • 200

      When rotating certificates, the call to SSLManagerInterface::stapleOCSPResponse() on a temporary SSLManagerInterface instance implicitly starts a periodic fetch and staple job, in addition to performing the initial fetch and staple itself. Unless the initial fetch and staple succeeds in obtaining a valid response, there is no need to start a periodic fetch and staple thread as it will only get shut down as soon as the SSLConnectionContext associated with it is deleted upon return of an error in AsioTransportLayer::_createSSLContext(). The current way this works is also prone to issues like the one seen in BF-34360. A cleaner way would be to start the periodic OCSP fetcher via a separate API call (e.g. SSLManagerInterface::startJobs()) that will be invoked only when the global SSLManagerInterface can be safely replaced by the temporary SSLManagerInterface during rotate.

            Assignee:
            Unassigned Unassigned
            Reporter:
            erwin.pe@mongodb.com Erwin Pe
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: