[CDRIVER-3591] Add URI option to disable certificate revocation checking Created: 25/Mar/20  Updated: 27/Oct/23  Resolved: 01/Apr/20

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: PM Bot Assignee: Kevin Albertson
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1575 Add URI option to disable certificate... Closed
Epic Link: C 4.4 Support

 Description   

See DRIVERS-975 for details.



 Comments   
Comment by Kevin Albertson [ 01/Apr/20 ]

This option has been implemented for Windows Secure Channel as part of CDRIVER-3408, where the default behavior is to hard-fail for a certificate without revocation checking mechanisms included (OCSP endpoints or CRL list). I interpret the spec to mean libmongoc does not need to implement this option for other TLS libraries, where the default is not to hard-fail:

Drivers whose TLS libraries support an option to toggle general certificate revocation checking must implement this option if enabling general certificate revocation checking causes hard-fail behavior when no revocation mechanisms are available (i.e. no methods are defined or the CRL distribution points/OCSP endpoints are unreachable).

Comment by April Schoffer [ 30/Mar/20 ]

Check to ensure we don't need to implement this on every library.

Generated at Wed Feb 07 21:18:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.