[SERVER-51364] Ubuntu 18.04 Server with OCSP and TLS fails to work Created: 05/Oct/20  Updated: 29/Oct/23  Resolved: 07/Jan/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.6

Type: Bug Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
related to SERVER-56848 RHEL 8.0 Server with OCSP and TLS fai... Closed
related to GODRIVER-1961 Run OCSP Evergreen tasks on RHEL 7.0 Closed
is related to PYTHON-3042 Migrate OCSP testing to Ubuntu 20.04 Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Security 2020-12-14, Security 2021-01-11
Participants:
Case:

 Description   

It appears that OpenSSL on Ubuntu 18.04 has a bug in it. When servers running using this version of OpenSSL try to speak with a Go client, using TLS 1.3, and with OCSP Stapling, the connection establishment will fail. The only documented fixes in the ticket are: 1. Upgrade OpenSSL; or 2. Disable TLS 1.3; or 3: Disable OCSP stapling.

The first option isn't super available to us, Canonical would have to do the upgrade, and there would still be older copies of their OS floating around without the fix. For us to unbreak the Go clients, we'd need to either disable TLS 1.3 or OCSP Stapling by default on that platform.



 Comments   
Comment by Githook User [ 07/Apr/21 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-51364 Ubuntu 18.04 Server with OCSP and TLS fails to work

(cherry picked from commit c20e3c5001923d8e8385dab70786da97888b039e)
Branch: v4.4
https://github.com/mongodb/mongo/commit/3d425cd2082717069d2a9e57835f38d4c57224a4

Comment by Ian Whalen (Inactive) [ 07/Jan/21 ]

Author:

{'username': u'evrg-bot-webhook', 'name': u'Shreyas Kalyan', 'email': u'shreyas.kalyan@10gen.com'}

Message:SERVER-51364 Ubuntu 18.04 Server with OCSP and TLS fails to work
Branch:master
https://github.com/mongodb/mongo/commit/c20e3c5001923d8e8385dab70786da97888b039e

Comment by Shreyas Kalyan [ 07/Jan/21 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-51364 Ubuntu 18.04 Server with OCSP and TLS fails to work
Branch: master
https://github.com/mongodb/mongo/commit/c20e3c5001923d8e8385dab70786da97888b039e

Comment by Salman Baset [ 06/Nov/20 ]

andrey.belik can we move to Ubuntu 20 instead of 18? Otherwise, my recommendation is that we disable OCSP stapling in the Server for Ubuntu 18.04 builds

Comment by Andrey Belik (Inactive) [ 13/Oct/20 ]

We use Ubuntu 16 and UBI 8
However, we are moving to Ubuntu 18 soonish. But we are going to use the latest Ubuntu version built by Canonical

Generated at Thu Feb 08 05:25:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.