[SERVER-55122] Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile Created: 10/Mar/21 Updated: 29/Oct/23 Resolved: 21/Mar/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0, 4.4.6 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Shreyas Kalyan | Assignee: | Shreyas Kalyan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Backport Requested: |
v4.4
|
||||||||||||||||||||
| Sprint: | Security 2021-03-22 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Linked BF Score: | 10 | ||||||||||||||||||||
| Description |
|
Say that a certificate chain is structured as such:
When the server is presented with certificates in this fashion:
The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process. |
| Comments |
| Comment by Githook User [ 07/Apr/21 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: (cherry picked from commit 17c516775aa4f5848671340f21545b7dffdc2d74) |
| Comment by Githook User [ 21/Mar/21 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: |