[CDRIVER-3734] OCSP requests with OpenSSL do not include Host header Created: 06/Jul/20  Updated: 28/Oct/23  Resolved: 10/Jul/20

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.17.0-rc0, 1.17.0

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Zip Archive kms-ocsp-cli.zip    
Issue Links:
Related
Epic Link: C 4.4 Support

 Description   

Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:

[2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Could not perform an OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error
[2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached

These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience.

These logs have been showing for a while. They go back as far as CDRIVER-3668:
https://evergreen.mongodb.com/task/mongo_c_driver_gcc48rhel_test_latest_server_noauth_sasl_openssl_cse_733322e98fdad8d4cf5fa2ce2f256d8e014ce51e_20_06_05_17_49_51

I can reproduce this locally by running the client side encryption tests when building against OpenSSL.

> ./cmake-build/src/libmongoc/test-libmongoc --no-fork -d -l /client_side_encryption/distinct
...
Begin /client_side_encryption/distinct, seed 1569892307
  - distinct with deterministic encryption
2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Could not send OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:parse_http_line1:server response error
2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached
  - Distinct fails when filtering on a random encrypted field
    { "status": "pass", "test_file": "/client_side_encryption/distinct", "seed": "1569892307", "start": 608.732156, "end": 609.732042, "elapsed": 0.999886  }

I suspected CDRIVER-3668 caused a regression, but checking out prior commits shows the same behavior.

Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header.

Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment.
 
 



 Comments   
Comment by Githook User [ 11/Jul/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3734 add Host header to OCSP requests
Branch: r1.17
https://github.com/mongodb/mongo-c-driver/commit/1c8f79c7d64ff6a144bcd9f95de2f398df9c482e

Comment by Githook User [ 10/Jul/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3734 add Host header to OCSP requests
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/2104e88f75bb28b2299298fe5bbe9abb97353c3e

Comment by Kevin Albertson [ 08/Jul/20 ]

PR: https://github.com/mongodb/mongo-c-driver/pull/655

Comment by Kevin Albertson [ 06/Jul/20 ]

Adding the Host header resolves it on my local machine, but Evergreen still fails to verify the response example:

[2020/07/06 15:16:07.061] 2020/07/06 15:16:07.0043: [ 4955]:    DEBUG:       mongoc: OCSP response failed verification: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error

Generated at Wed Feb 07 21:18:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.