[CDRIVER-3707] Polyfill ASN1_TIME comparison for OpenSSL pre 1.1.1 Created: 05/Jun/20  Updated: 10/Feb/23

Status: Backlog
Project: C Driver
Component/s: OCSP
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-3668 Support OCSP in older OpenSSL versions Closed
Epic Link: CDRIVER-4575

 Description   

The OCSP cache should replace existing entries with new responses if the new responses have a nextUpdate time greater than the cached response. This is to match the OCSP spec's recommended behavior:

If a driver would accept a stapled OCSP response and that response has a later nextUpdate than the response already in the cache, drivers SHOULD replace the older entry in the cache with the fresher response.

To do the time comparison, ASN1_TIME_compare is used, which was added in OpenSSL 1.1.1.

To support OCSP in older version of OpenSSL, the cache bypasses this comparison. This means in OpenSSL pre-1.1.1 newer responses with a later nextUpdate time will not overwrite existing cache entries.

This is less desirable, but also does not seem harmful, as cache entries are still removed on expiration.

See this PR comment for additional context: https://github.com/mongodb/mongo-c-driver/pull/623#discussion_r432192850


Generated at Wed Feb 07 21:18:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.