[CDRIVER-3788] DNS Lookup Failures to OCSP Exhausts connectTimeoutMS Created: 02/Sep/20  Updated: 29/Sep/23

Status: Backlog
Project: C Driver
Component/s: OCSP, tls
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jack Alder Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File PHONGO-1599008067pCaVN6.redacted    
Issue Links:
Related
related to CDRIVER-4522 Possible improvements to mitigate neg... Backlog
is related to CDRIVER-3781 Improve debugging output for OCSP sof... Backlog
is related to PHPC-1671 Better user-facing messaging when OCS... Closed
Epic Link: Improve Developer Experience
Quarter: FY24Q4
Case:

 Description   

In a network/internet restricted environment, DNS lookups to the TLS certificate's OCSP address may timeout when the OCSP is not stapled. This DNS timeout may require longer than the default connecttimeoutms of 10 seconds (20 seconds is the default DNS lookup timeout for environments tested).
After failing to resolve the OCSP address, the driver then immediately aborts the connection with a failure on topology (isMaster response marked as NULL).

Attached is a trace and debug from a PHP driver connection, but the underlying issues appears to be in the C driver used by the PHP driver.

Workaround: Set the C or PHP URI flag for tlsDisableOCSPEndpointCheck=true to skip the OCSP portion of the TLS connection.



 Comments   
Comment by Andreas Braun [ 25/Nov/20 ]

The portion about reuse of connections is correct. I should mention that this does not work across PHP processes, but only within the current process. So while you may encounter repeated delays when testing this with a CLI script, this may not be as much of an issue when behind FPM.

Comment by Kevin Albertson [ 24/Nov/20 ]

Apologies for the delayed response.

DNS lookup for hosts in libmongoc currently uses getaddrinfo. There is no way to configure a timeout for DNS from within libmongoc, but this may be configurable on a system setting. E.g. by setting the timeout option in /etc/resolv.conf on Unix systems.

Even if we are able to set a timeout in libmongoc, the current recommended driver behavior specified for OCSP requests is five seconds:

A five-second timeout SHOULD be used for the requests

CC andreas.braun in case I am incorrect. But I believe due to the PHP driver's reuse of connections, even if establishing the initial connections have a five second delay, subsequent PHP requests would reuse those connections, and would not have to redo the TLS handshake (unless connections were closed due to a network error, etc.).

So overall, if this effects users in constrained environments, I think we should determine how to set a timeout on DNS requests from within libmongoc and implement the five second timeout for OCSP DNS lookup. One possibility is using c-ares.

Generated at Wed Feb 07 21:19:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.