[SERVER-84645] OCSP stapling log messages should indicate response validity Created: 08/Jan/24  Updated: 29/Jan/24

Status: Open
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

After an OCSP response acquisition attempt, several events might have occurred:

  • A network error
  • One or more responder errors
  • A response which failed signature validation
  • A response which failed to meet policy
  • A response which indicates the subject certificate was revoked
  • A response which indicates the subject certificate was valid

There are probably a few other edge cases. Currently, the main OCSP stapling loop dispatches requests, then logs message 577163 which includes the Status of acquisition and validation. It doesn't report anything about what was observed in the response, meaning that both valid and revoked responses are reported with Status::OK. This is misleading, and can confuse administrators trying to debug revoked responses.


Generated at Thu Feb 08 06:55:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.