[CDRIVER-3739] Add five second timeout to OCSP requests for OpenSSL Created: 09/Jul/20  Updated: 28/Oct/23  Resolved: 14/Jul/20

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.17.0-rc0, 1.17.0

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Epic Link: C 4.4 Support

 Description   

An error due to unresponsive responders was observed here:
https://evergreen.mongodb.com/task/mongo_c_driver_power8_ubuntu1604_authentication_tests_openssl_nosasl_23fd5f57ab3677a57c0acc4a341a33dc60073e3a_20_07_08_19_22_13

This caused a server selection timeout since it exceeded 30 seconds.



 Comments   
Comment by Githook User [ 14/Jul/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3739 Add 5 second timeout to OCSP (#658)

Comment by Githook User [ 13/Jul/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3739 Add 5 second timeout to OCSP (#658)

Comment by Kevin Albertson [ 10/Jul/20 ]

PR: https://github.com/mongodb/mongo-c-driver/pull/658

Comment by Kevin Albertson [ 09/Jul/20 ]

Observations:

  • The failure is not consistent. Running another patch build shows a success.
    https://spruce.mongodb.com/task/mongo_c_driver_power8_ubuntu1604_authentication_tests_openssl_nosasl_patch_23fd5f57ab3677a57c0acc4a341a33dc60073e3a_5f072dc42a60ed522d0a51c8_20_07_09_14_46_43/logs
  • According to the logged message, the timeout occurs when connecting to ocsp.digicert.com.
  • I can reproduce this locally with just one of the hosts returned in the SRV records:

    ./cmake-build-openssl-1.1.0/src/libmongoc/mongoc-ping "mongodb://freecluster-shard-00-00-oztdp.mongodb-dev.net:27017/?retryWrites=true&connectTimeoutMS=30000&serverSelectionTryOnce=false&tlsCAFile=/certs/ca/digicert-global-root-ca.pem"
    

  • Wireshark shows a failure to connect. I see the first SYN packet followed by a sequence of retransmissions (attached as connection-timeout.pcapng)
  • I can reproduce connectivity issues outside of libmongoc. curl ocsp.digicert.com either returns immediately, or it hangs then prints curl: (7) Failed to connect to ocsp.digicert.com port 80: Operation timed out

Hypothesis: This indicates a flaky connectivity issue with the responders. Implementing the five second timeout (as is recommended in the spec) should fix tests.

Generated at Wed Feb 07 21:18:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.