[SERVER-46729] Make Windows shell soft-fail for unavailable OCSP responder Created: 09/Mar/20 Updated: 29/Oct/23 Resolved: 04/May/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | None |
| Fix Version/s: | 4.4.0-rc5, 4.7.0, 4.2.11, 4.0.22 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Shreyas Kalyan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0
|
||||||||||||||||||||
| Sprint: | Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
When a client is unable to contact an OCSP responder, it neither acquires a positive or a negative response for certificate validity. In this state, it should accept non-MustStaple certificates in order to prevent transient network faults from compromising availability. Windows' SChannel library defaults to hard-failing on detecting an unavailable certificate. We should try and use the SCH_CRED_IGNORE_REVOCATION_OFFLINE flag to change this behaviour. |
| Comments |
| Comment by Githook User [ 11/Nov/20 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: (cherry picked from commit 9dcfaa1261cf847e6692269e77dd5ad4c14324e9) |
| Comment by Githook User [ 09/Nov/20 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: (cherry picked from commit 9dcfaa1261cf847e6692269e77dd5ad4c14324e9) |
| Comment by Githook User [ 07/May/20 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: |
| Comment by Githook User [ 04/May/20 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: |
| Comment by Shreyas Kalyan [ 10/Mar/20 ] |
|
After investigation during |
| Comment by Shreyas Kalyan [ 09/Mar/20 ] |
|
The changes required for this ticket are being rolled into SERVER-46413. |