[CDRIVER-3734] OCSP requests with OpenSSL do not include Host header Created: 06/Jul/20 Updated: 28/Oct/23 Resolved: 10/Jul/20 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.17.0-rc0, 1.17.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevin Albertson | Assignee: | Kevin Albertson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Epic Link: | C 4.4 Support | ||||
| Description |
|
Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:
These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience. These logs have been showing for a while. They go back as far as I can reproduce this locally by running the client side encryption tests when building against OpenSSL.
I suspected Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header. Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment. |
| Comments |
| Comment by Githook User [ 11/Jul/20 ] | |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: | |
| Comment by Githook User [ 10/Jul/20 ] | |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: | |
| Comment by Kevin Albertson [ 08/Jul/20 ] | |
| Comment by Kevin Albertson [ 06/Jul/20 ] | |
|
Adding the Host header resolves it on my local machine, but Evergreen still fails to verify the response example:
|