[CDRIVER-3580] Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline Created: 19/Mar/20 Updated: 28/Oct/23 Resolved: 02/Jul/20 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | tls |
| Affects Version/s: | None |
| Fix Version/s: | 1.17.0-rc0, 1.17.0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Kevin Albertson | Assignee: | Kevin Albertson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Epic Link: | C 4.4 Support | ||||||||||||||||
| Description |
|
Part of implementing OCSP certificate revocation is to enable soft-fail behavior when an OCSP responder cannot be reached. The OCSP spec recommends continuing connection:
OpenSSL, libtls, and Secure Transport all exhibit soft-fail behavior. This ticket is to make Secure Channel consistent with the other TLS implementations. In addition, by default, Secure Channel considers a certificate with no revocation information (a CRL distribution point, OCSP stapled response, or OCSP authorized responders list) invalid. Even testing with the ca.pem and server.pem certificates in x509gen fails certificate validation by default: https://github.com/mongodb/mongo-c-driver/tree/master/src/libmongoc/tests/x509gen The only reason the "-ssl" tests with secure channel have been passing is because the test runner currently enables weak certification validation (see Note, the shell is using CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS to enable soft-failing behavior. And the shell ignores errors of peer certificates with no revocation information by checking CRYPT_E_NO_REVOCATION_CHECK. |
| Comments |
| Comment by Githook User [ 11/Jul/20 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@10gen.com', 'username': 'kevinAlbs'}Message: With schannel, if certificate validation occurs due to:
|
| Comment by Githook User [ 02/Jul/20 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@10gen.com', 'username': 'kevinAlbs'}Message: With schannel, if certificate validation occurs due to:
|
| Comment by Githook User [ 02/Jul/20 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@10gen.com', 'username': 'kevinAlbs'}Message: With schannel, if certificate validation occurs due to:
|
| Comment by Kevin Albertson [ 30/Jun/20 ] |