[SERVER-57601] OCSPFetcher must verify that the SSLConnectionContext that owns SSLManagerOpenSSL is still valid Created: 09/Jun/21  Updated: 29/Oct/23  Resolved: 18/Jun/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.0.0-rc5, 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Andrew Shuvalov (Inactive) Assignee: Andrew Shuvalov (Inactive)
Resolution: Fixed Votes: 0
Labels: post-rc0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.0, v4.4
Sprint: Sharding 2021-06-14, Sharding 2021-06-28
Participants:
Linked BF Score: 150

 Description   

While OCSPFetcher periodic job owns the refcount to 
SSLManagerOpenSSL there is a possibility of race that the SSLConnectionContext that owns this manager is already deleted. Indeed, the SSLConnectionContext is passed as shared pointer in many places and its exact deletion moment is hard to predict. At the same time the SSLManagerOpenSSL may outlive the SSLConnectionContext that owns it because the refcount to it is owned by the OCSPFetcher callback itself.

The fetcher shutdown() is invoked from ~SSLManagerOpenSSL() -> stopJobs(), but as described above the manager itself is owned by the OCSPFetcher so it will not shutdown itself at all.

 



 Comments   
Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 25/Jun/21 ]

Author:

{'name': 'Andrew Shuvalov', 'email': 'andrew.shuvalov@mongodb.com', 'username': 'shuvalov-mdb'}

Message: SERVER-57601: BACKPORT-9750 [v5.0] OCSPFetcher must verify that the SSLConnectionContext that owns SSLManagerOpenSSL is still valid
Branch: v5.0
https://github.com/mongodb/mongo/commit/3b919918b26883d38f80cc2c374ccd1207efa6e1

Comment by Githook User [ 25/Jun/21 ]

Author:

{'name': 'Andrew Shuvalov', 'email': 'andrew.shuvalov@mongodb.com', 'username': 'shuvalov-mdb'}

Message: SERVER-57601: OCSPFetcher must verify that the SSLConnectionContext that owns SSLManagerOpenSSL is still valid
Branch: v5.0
https://github.com/mongodb/mongo/commit/a2924c2fa049b664831fcca6bc34d0dfd9cf33dc

Comment by Andrew Shuvalov (Inactive) [ 18/Jun/21 ]

While doing backports also check if more backports are needed.

Comment by Githook User [ 18/Jun/21 ]

Author:

{'name': 'Andrew Shuvalov', 'email': 'andrew.shuvalov@mongodb.com', 'username': 'shuvalov-mdb'}

Message: SERVER-57601: OCSPFetcher must verify that the SSLConnectionContext that owns SSLManagerOpenSSL is still valid
Branch: master
https://github.com/mongodb/mongo/commit/2cca0d293e35607956f8a84067c563fc3ebfc7cf

Generated at Thu Feb 08 05:42:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.