[SERVER-55122] Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile Created: 10/Mar/21  Updated: 29/Oct/23  Resolved: 21/Mar/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.6

Type: Bug Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Duplicate
is duplicated by SERVER-55074 Add warning message to OCSP Fetcher w... Closed
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Security 2021-03-22
Participants:
Linked BF Score: 10

 Description   

Say that a certificate chain is structured as such:

server certificate -> intermediate certificate -> self signed root certificate 

When the server is presented with certificates in this fashion:

tlsCertificateKeyFile: server certificate -> intermediate certificate
tlsCAFile: self signed root certificate

 The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.



 Comments   
Comment by Githook User [ 07/Apr/21 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-55122 Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

(cherry picked from commit 17c516775aa4f5848671340f21545b7dffdc2d74)
Branch: v4.4
https://github.com/mongodb/mongo/commit/6eaf9b51d0f710e0088799f72b0812a18efc1b02

Comment by Githook User [ 21/Mar/21 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-55122 Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile
Branch: master
https://github.com/mongodb/mongo/commit/17c516775aa4f5848671340f21545b7dffdc2d74

Generated at Thu Feb 08 05:35:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.