<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:18:27 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-3580] Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-3580</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Part of implementing OCSP certificate revocation is to enable soft-fail behavior when an OCSP responder cannot be reached. The OCSP spec recommends continuing connection:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This means that the driver SHOULD default to &#8220;soft fail&#8221; behavior, connecting as long as there are no explicitly invalid certificates&#8212;i.e. the driver will connect even if the status of all the unvalidated certificates has not been confirmed yet (e.g. because an OCSP responder is down).&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;OpenSSL, libtls, and Secure Transport all exhibit soft-fail behavior. This ticket is to make Secure Channel consistent with the other TLS implementations.&lt;/p&gt;

&lt;p&gt;In addition, by default, Secure Channel considers a certificate with no revocation information (a CRL distribution point, OCSP stapled response, or OCSP authorized responders list) invalid.&lt;/p&gt;

&lt;p&gt;Even testing with the ca.pem and server.pem certificates in x509gen fails certificate validation by default: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/tree/master/src/libmongoc/tests/x509gen&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/tree/master/src/libmongoc/tests/x509gen&lt;/a&gt; The only reason the &quot;-ssl&quot; tests with secure channel have been passing is because the test runner currently enables weak certification validation (see &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3579&quot; title=&quot;Run TLS tests with certificate validation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3579&quot;&gt;&lt;del&gt;CDRIVER-3579&lt;/del&gt;&lt;/a&gt;). I worry that users may be using &lt;tt&gt;tlsAllowInvalidHostnames&lt;/tt&gt; to bypass this error, when they really only need to disable the error due to the certificate not having revocation information.&lt;/p&gt;

&lt;p&gt;Note, the shell is using &lt;a href=&quot;https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_policy_para&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS&lt;/a&gt; to enable soft-failing behavior. And the shell ignores errors of peer certificates with no revocation information by &lt;a href=&quot;https://github.com/mongodb/mongo/blob/3cb614281417060da6f8967a7db74ea025e95839/src/mongo/util/net/ssl_manager_windows.cpp#L1797&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;checking CRYPT_E_NO_REVOCATION_CHECK&lt;/a&gt;.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1282147">CDRIVER-3580</key>
            <summary>Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="kevin.albertson@mongodb.com">Kevin Albertson</assignee>
                                    <reporter username="kevin.albertson@mongodb.com">Kevin Albertson</reporter>
                        <labels>
                    </labels>
                <created>Thu, 19 Mar 2020 14:42:33 +0000</created>
                <updated>Sat, 28 Oct 2023 11:28:51 +0000</updated>
                            <resolved>Thu, 2 Jul 2020 19:21:17 +0000</resolved>
                                                    <fixVersion>1.17.0-rc0</fixVersion>
                    <fixVersion>1.17.0</fixVersion>
                                    <component>tls</component>
                                        <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                <comments>
                            <comment id="3281152" author="xgen-internal-githook" created="Sat, 11 Jul 2020 16:20:40 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Kevin Albertson&apos;, &apos;email&apos;: &apos;kevin.albertson@10gen.com&apos;, &apos;username&apos;: &apos;kevinAlbs&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3580&quot; title=&quot;Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3580&quot;&gt;&lt;del&gt;CDRIVER-3580&lt;/del&gt;&lt;/a&gt; soft-fail with schannel&lt;/p&gt;

&lt;p&gt;With schannel, if certificate validation occurs due to:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;certificates not having revocation info&lt;/li&gt;
	&lt;li&gt;OCSP responder / CRL distribution being offline&lt;br/&gt;
Consider this a soft-failure.&lt;br/&gt;
Branch: r1.17&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/7881888b578465c2e6311655f750dc7c2a13d7bb&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/7881888b578465c2e6311655f750dc7c2a13d7bb&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="3269029" author="xgen-internal-githook" created="Thu, 2 Jul 2020 19:20:57 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Kevin Albertson&apos;, &apos;email&apos;: &apos;kevin.albertson@10gen.com&apos;, &apos;username&apos;: &apos;kevinAlbs&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3580&quot; title=&quot;Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3580&quot;&gt;&lt;del&gt;CDRIVER-3580&lt;/del&gt;&lt;/a&gt; soft-fail with schannel&lt;/p&gt;

&lt;p&gt;With schannel, if certificate validation occurs due to:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;certificates not having revocation info&lt;/li&gt;
	&lt;li&gt;OCSP responder / CRL distribution being offline&lt;br/&gt;
Consider this a soft-failure.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/6e85ef5dc7c9ef5afeaa636f846518a3227ad940&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/6e85ef5dc7c9ef5afeaa636f846518a3227ad940&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="3268793" author="xgen-internal-githook" created="Thu, 2 Jul 2020 17:14:53 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Kevin Albertson&apos;, &apos;email&apos;: &apos;kevin.albertson@10gen.com&apos;, &apos;username&apos;: &apos;kevinAlbs&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3580&quot; title=&quot;Secure Channel must soft-fail when certificate has no revocation info or revocation responder is offline&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3580&quot;&gt;&lt;del&gt;CDRIVER-3580&lt;/del&gt;&lt;/a&gt; soft-fail with schannel&lt;/p&gt;

&lt;p&gt;With schannel, if certificate validation occurs due to:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;certificates not having revocation info&lt;/li&gt;
	&lt;li&gt;OCSP responder / CRL distribution being offline&lt;br/&gt;
Consider this a soft-failure.&lt;br/&gt;
Branch: softfail-windows.&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3719&quot; title=&quot;Ensure OCSP is fully tested&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3719&quot;&gt;&lt;del&gt;CDRIVER-3719&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/ef9eafb9a18ed2470f58d7945f7bd165f7a50b91&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/ef9eafb9a18ed2470f58d7945f7bd165f7a50b91&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="3229897" author="kevin.albertson" created="Tue, 30 Jun 2020 13:21:15 +0000"  >&lt;p&gt;PR: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/pull/651&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/pull/651&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="1282139">CDRIVER-3579</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1407843">CDRIVER-3747</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="977420">CDRIVER-3408</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>CDRIVER-3508</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hwxly7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>