[DRIVERS-2507] Permit tlsDisableOCSPEndpointCheck in KMS TLS options Created: 22/Nov/22 Updated: 06/Dec/22 |
|
| Status: | Implementing |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Unknown |
| Reporter: | Kevin Albertson | Assignee: | Kevin Albertson |
| Resolution: | Unresolved | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Changes: | Needed | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Downstream Changes Summary: |
See the specification and prose test here: https://github.com/mongodb/specifications/commit/eec11c2e9b200a331df8d7a074dbc94714d2ddd7 |
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
SummaryPermit tlsDisableOCSPEndpointCheck in KMS TLS options MotivationThe Client-Side Encryption specification currently suggests drivers to raise an error if insecure TLS options are set. The rationale is to avoid enabling insecure settings when using CSFLE. Who is the affected end user?Users of CSFLE experiencing timeouts due to slow OCSP checks. How does this affect the end user?Users may get errors during CSFLE operations requiring KMS. How likely is it that this problem or use case will occur?Not sure. There is only one known user report of this issue. If the problem does occur, what are the consequences and how severe are they?Unable to complete CSFLE operations. Is this issue urgent?Not sure. Is this ticket required by a downstream team?No. Is this ticket only for tests?No. |
| Comments |
| Comment by Karen Yau [ 06/Dec/22 ] |
|
Hi kevin.albertson@mongodb.com May I know if we can have a schedule to share with customer when will this ticket completed so they can test the code change? Thanks. |
| Comment by Githook User [ 05/Dec/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: DRIVERS-2507 Permit `tlsDisableOCSPEndpointCheck` in KMS TLS options (#1354)
|
| Comment by Kevin Albertson [ 02/Dec/22 ] |
|
prince.bhardwaj@mongodb.com drivers are recommended to cache OCSP responses: https://github.com/mongodb/specifications/blob/735a667672c758617821e3c5dda99c551e007375/source/ocsp-support/ocsp-support.rst#suggested-ocsp-caching-behavior |
| Comment by Prince Bhardwaj [ 02/Dec/22 ] |
|
Hello kenneth.white@mongodb.com, We got a suggestion from customer in regards to Permit tlsDisableOCSPEndpointCheck in KMS TLS options that instead of option to disable the validation enitrely adding a cache at the Driver layer can help in this? Please let us know if that can be done.
|