[SERVER-46485] Investigate Stapling in Windows Created: 28/Feb/20  Updated: 27/Oct/23  Resolved: 06/Mar/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Shreyas Kalyan
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Sprint: Security 2020-03-09
Participants:

 Comments   
Comment by Sara Williamson [ 10/Mar/20 ]

Additional behavior we have observed is that windows will hard fail if certificate validation cannot reach the OCSP responder.

Comment by Shreyas Kalyan [ 06/Mar/20 ]

Stapling in Windows does not work as intended with the test certificates that we have.

The behavior that we observe is that the mongod, running on windows and using tlsCertificateSelector to load the certificates, starts up and does not reach out to the responder. When a client attempts a connection, SChannel reaches out to the responder and receives an OCSP Response. However, the server does not staple the response to the TLS connection. In light of this discovery, we have decided to suspend investigation into stapling on windows.

We have confirmed that when a SChannel client is doing certificate status verification, it accepts and processes stapled certificates.

Generated at Thu Feb 08 05:11:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.