[SERVER-49279] Investigate how the server and client process OCSP responses Created: 02/Jul/20 Updated: 12/Nov/20 Resolved: 12/Nov/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Shreyas Kalyan | Assignee: | Shreyas Kalyan |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Sprint: | Security 2020-07-27, Security 2020-11-16 | ||||
| Participants: | |||||
| Description |
|
If the server observes a response with multiple single_responses, 2 good and 1 unknown, it treats the response overall as unknown, not good. This could cause a server to not staple an OCSP response even when the server's certificate is covered by the response. This logic needs to be revisited to ensure that a response is not discarded for this reason. |
| Comments |
| Comment by Shreyas Kalyan [ 12/Nov/20 ] |
|
After doing some investigation, this seems like a very edge case scenario, and very unlikely to be encountered by customers. Completing this ticket will require some thought and restructuring of our functions that handle OCSP responses. I am going to close this, but if there is customer demand for it we can revisit this in the future. |