[CDRIVER-3788] DNS Lookup Failures to OCSP Exhausts connectTimeoutMS Created: 02/Sep/20 Updated: 29/Sep/23 |
|
| Status: | Backlog |
| Project: | C Driver |
| Component/s: | OCSP, tls |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Jack Alder | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue Links: |
|
||||||||||||||||
| Epic Link: | Improve Developer Experience | ||||||||||||||||
| Quarter: | FY24Q4 | ||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
|
In a network/internet restricted environment, DNS lookups to the TLS certificate's OCSP address may timeout when the OCSP is not stapled. This DNS timeout may require longer than the default connecttimeoutms of 10 seconds (20 seconds is the default DNS lookup timeout for environments tested). Attached is a trace and debug from a PHP driver connection, but the underlying issues appears to be in the C driver used by the PHP driver. Workaround: Set the C or PHP URI flag for tlsDisableOCSPEndpointCheck=true to skip the OCSP portion of the TLS connection. |
| Comments |
| Comment by Andreas Braun [ 25/Nov/20 ] |
|
The portion about reuse of connections is correct. I should mention that this does not work across PHP processes, but only within the current process. So while you may encounter repeated delays when testing this with a CLI script, this may not be as much of an issue when behind FPM. |
| Comment by Kevin Albertson [ 24/Nov/20 ] |
|
Apologies for the delayed response. DNS lookup for hosts in libmongoc currently uses getaddrinfo. There is no way to configure a timeout for DNS from within libmongoc, but this may be configurable on a system setting. E.g. by setting the timeout option in /etc/resolv.conf on Unix systems. Even if we are able to set a timeout in libmongoc, the current recommended driver behavior specified for OCSP requests is five seconds:
CC andreas.braun in case I am incorrect. But I believe due to the PHP driver's reuse of connections, even if establishing the initial connections have a five second delay, subsequent PHP requests would reuse those connections, and would not have to redo the TLS handshake (unless connections were closed due to a network error, etc.). So overall, if this effects users in constrained environments, I think we should determine how to set a timeout on DNS requests from within libmongoc and implement the five second timeout for OCSP DNS lookup. One possibility is using c-ares. |