[SERVER-46485] Investigate Stapling in Windows Created: 28/Feb/20 Updated: 27/Oct/23 Resolved: 06/Mar/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Shreyas Kalyan | Assignee: | Shreyas Kalyan |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Sprint: | Security 2020-03-09 | ||||
| Participants: | |||||
| Comments |
| Comment by Sara Williamson [ 10/Mar/20 ] |
|
Additional behavior we have observed is that windows will hard fail if certificate validation cannot reach the OCSP responder. |
| Comment by Shreyas Kalyan [ 06/Mar/20 ] |
|
Stapling in Windows does not work as intended with the test certificates that we have. The behavior that we observe is that the mongod, running on windows and using tlsCertificateSelector to load the certificates, starts up and does not reach out to the responder. When a client attempts a connection, SChannel reaches out to the responder and receives an OCSP Response. However, the server does not staple the response to the TLS connection. In light of this discovery, we have decided to suspend investigation into stapling on windows. We have confirmed that when a SChannel client is doing certificate status verification, it accepts and processes stapled certificates. |