[CDRIVER-3668] Support OCSP in older OpenSSL versions Created: 12/May/20  Updated: 28/Oct/23  Resolved: 05/Jun/20

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.17.0-beta2, 1.17.0

Type: Task Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-3707 Polyfill ASN1_TIME comparison for Ope... Backlog
is related to CDRIVER-3562 Investigate if we can bump minimum de... Closed
Epic Link: C 4.4 Support

 Description   

Currently our OCSP implementation in OpenSSL requires version 1.1.1.

We document minimum supported version of OpenSSL is 1.0.1. CDRIVER-3562 has yet to determine whether we can bump this requirement, but we likely need to support back to at least 1.0.2.



 Comments   
Comment by Githook User [ 05/Jun/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3668 fix ifdef around test
Branch: r1.17
https://github.com/mongodb/mongo-c-driver/commit/72a1cf6d342d6e8031337dfff4830601507ee2c1

Comment by Githook User [ 05/Jun/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3668 support OCSP back to OpenSSL 1.0.1 (#623)

  • change SSL_CTX_set_tlsext_status_type to SSL_set_tlsext_status_type.
  • polyfill SSL_get0_verified_chain, NID_tlsfeature, and hostname check.
  • check for status_request from the tlsfeature extension when inspecting peer certificate.
  • skip time check for older OpenSSL when updating cache entries.
  • perform the OCSP check after the handshake, since sometimes the peer certificate is not available in the callback in OpenSSL <= 1.0.2.
  • check tlsDisableOCSPEndpointCheck before reaching out to a responder.
  • make tlsDisableOCSPEndpointCheck and tlsDisableCertificateRevocationCheck URI options implicitly enable TLS.
  • enable OCSP tests on OpenSSL and macOS that were skipped.
  • add OCSP tests for OpenSSL 1.0.1.
  • update OCSP OpenSSL documentation.
  • change OCSP verification logs from MONGOC_DEBUG to TRACE in successful cases.
    Branch: r1.17
    https://github.com/mongodb/mongo-c-driver/commit/1184f0236c468e17ba7ef79229bd17a0a7bc3e2a
Comment by Githook User [ 05/Jun/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3668 fix ifdef around test
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/500c40eda94b8709fc41ad0ecf257d6baccf36e8

Comment by Githook User [ 05/Jun/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3668 support OCSP back to OpenSSL 1.0.1 (#623)

  • change SSL_CTX_set_tlsext_status_type to SSL_set_tlsext_status_type.
  • polyfill SSL_get0_verified_chain, NID_tlsfeature, and hostname check.
  • check for status_request from the tlsfeature extension when inspecting peer certificate.
  • skip time check for older OpenSSL when updating cache entries.
  • perform the OCSP check after the handshake, since sometimes the peer certificate is not available in the callback in OpenSSL <= 1.0.2.
  • check tlsDisableOCSPEndpointCheck before reaching out to a responder.
  • make tlsDisableOCSPEndpointCheck and tlsDisableCertificateRevocationCheck URI options implicitly enable TLS.
  • enable OCSP tests on OpenSSL and macOS that were skipped.
  • add OCSP tests for OpenSSL 1.0.1.
  • update OCSP OpenSSL documentation.
  • change OCSP verification logs from MONGOC_DEBUG to TRACE in successful cases.
    Branch: master
    https://github.com/mongodb/mongo-c-driver/commit/733322e98fdad8d4cf5fa2ce2f256d8e014ce51e
Comment by Kevin Albertson [ 04/Jun/20 ]

PR: https://github.com/mongodb/mongo-c-driver/pull/623

Generated at Wed Feb 07 21:18:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.