[DRIVERS-2507] Permit tlsDisableOCSPEndpointCheck in KMS TLS options Created: 22/Nov/22  Updated: 06/Dec/22

Status: Implementing
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split to PYTHON-3533 Permit tlsDisableOCSPEndpointCheck in... Closed
split to CXX-2615 Permit tlsDisableOCSPEndpointCheck in... Backlog
split to GODRIVER-2664 Permit tlsDisableOCSPEndpointCheck in... Backlog
split to NODE-4840 Permit tlsDisableOCSPEndpointCheck in... Blocked
split to RUST-1549 Permit tlsDisableOCSPEndpointCheck in... Blocked
split to CDRIVER-4528 Permit tlsDisableOCSPEndpointCheck in... Closed
split to CSHARP-4433 Permit tlsDisableOCSPEndpointCheck in... Closed
split to JAVA-4818 Permit tlsDisableOCSPEndpointCheck in... Closed
split to MOTOR-1069 Permit tlsDisableOCSPEndpointCheck in... Closed
split to PHPC-2188 Permit tlsDisableOCSPEndpointCheck in... Closed
split to RUBY-3187 Permit tlsDisableOCSPEndpointCheck in... Closed
Related
Driver Changes: Needed
Downstream Changes Summary:
  • Permit the "tlsDisableOCSPEndpointCheck" in KMS TLS options
    • This may not be applicable if the driver does not support the option
  • Implement prose test to validate the change.

See the specification and prose test here: https://github.com/mongodb/specifications/commit/eec11c2e9b200a331df8d7a074dbc94714d2ddd7

Case:
Driver Compliance:
Key Status/Resolution FixVersion
CDRIVER-4528 Fixed 1.24.0
CXX-2615 Backlog
CSHARP-4433 Works as Designed
GODRIVER-2664 Backlog
JAVA-4818 Won't Do
NODE-4840 Blocked
MOTOR-1069 Duplicate
PYTHON-3533 Fixed 4.4
PHPC-2188 Fixed 1.16.0
RUBY-3187 Fixed 2.19.0, 2.18.2
RUST-1549 Blocked
SWIFT-1681 Won't Do

 Description   

Summary

Permit tlsDisableOCSPEndpointCheck in KMS TLS options

Motivation

The Client-Side Encryption specification currently suggests drivers to raise an error if insecure TLS options are set.

The rationale is to avoid enabling insecure settings when using CSFLE.

Who is the affected end user?

Users of CSFLE experiencing timeouts due to slow OCSP checks.

How does this affect the end user?

Users may get errors during CSFLE operations requiring KMS.

How likely is it that this problem or use case will occur?

Not sure. There is only one known user report of this issue.

If the problem does occur, what are the consequences and how severe are they?

Unable to complete CSFLE operations.

Is this issue urgent?

Not sure.

Is this ticket required by a downstream team?

No.

Is this ticket only for tests?

No.



 Comments   
Comment by Karen Yau [ 06/Dec/22 ]

Hi kevin.albertson@mongodb.com 

May I know if we can have a schedule to share with customer when will this ticket completed so they can test the code change? Thanks.

Comment by Githook User [ 05/Dec/22 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-2507 Permit `tlsDisableOCSPEndpointCheck` in KMS TLS options (#1354)

  • DRIVERS-2507 Permit `tlsDisableOCSPEndpointCheck` in KMS TLS options
Comment by Kevin Albertson [ 02/Dec/22 ]

prince.bhardwaj@mongodb.com drivers are recommended to cache OCSP responses: https://github.com/mongodb/specifications/blob/735a667672c758617821e3c5dda99c551e007375/source/ocsp-support/ocsp-support.rst#suggested-ocsp-caching-behavior

Comment by Prince Bhardwaj [ 02/Dec/22 ]

Hello kenneth.white@mongodb.com,

We got a suggestion from customer in regards to Permit tlsDisableOCSPEndpointCheck in KMS TLS options that  instead of option to disable the validation enitrely adding a cache at the Driver layer can help in this?

Please let us know if that can be done.

 

 

Generated at Thu Feb 08 08:25:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.