|
This option has been implemented for Windows Secure Channel as part of CDRIVER-3408, where the default behavior is to hard-fail for a certificate without revocation checking mechanisms included (OCSP endpoints or CRL list). I interpret the spec to mean libmongoc does not need to implement this option for other TLS libraries, where the default is not to hard-fail:
Drivers whose TLS libraries support an option to toggle general certificate revocation checking must implement this option if enabling general certificate revocation checking causes hard-fail behavior when no revocation mechanisms are available (i.e. no methods are defined or the CRL distribution points/OCSP endpoints are unreachable).
|