<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:19:02 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-3788] DNS Lookup Failures to OCSP Exhausts connectTimeoutMS</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-3788</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;In a network/internet restricted environment, DNS lookups to the TLS certificate&apos;s OCSP address may timeout when the OCSP is not stapled.  This DNS timeout may require longer than the default connecttimeoutms of 10 seconds (20 seconds is the default DNS lookup timeout for environments tested).&lt;br/&gt;
After failing to resolve the OCSP address, the driver then immediately aborts the connection with a failure on topology (isMaster response marked as NULL).&lt;/p&gt;

&lt;p&gt;Attached is a trace and debug from a PHP driver connection, but the underlying issues appears to be in the C driver used by the PHP driver.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Workaround&lt;/b&gt;: Set the C or PHP URI flag for &lt;b&gt;tlsDisableOCSPEndpointCheck=true&lt;/b&gt; to skip the OCSP portion of the TLS connection.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1460345">CDRIVER-3788</key>
            <summary>DNS Lookup Failures to OCSP Exhausts connectTimeoutMS</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jack.alder@mongodb.com">Jack Alder</reporter>
                        <labels>
                    </labels>
                <created>Wed, 2 Sep 2020 17:57:48 +0000</created>
                <updated>Fri, 29 Sep 2023 14:05:39 +0000</updated>
                                                                            <component>OCSP</component>
                    <component>tls</component>
                                        <votes>0</votes>
                                    <watches>9</watches>
                                                                                                                <comments>
                            <comment id="3504921" author="andreas.braun" created="Wed, 25 Nov 2020 09:47:11 +0000"  >&lt;p&gt;The portion about reuse of connections is correct. I should mention that this does not work across PHP processes, but only within the current process. So while you may encounter repeated delays when testing this with a CLI script, this may not be as much of an issue when behind FPM.&lt;/p&gt;</comment>
                            <comment id="3503661" author="kevin.albertson" created="Tue, 24 Nov 2020 15:26:37 +0000"  >&lt;p&gt;Apologies for the delayed response.&lt;/p&gt;

&lt;p&gt;DNS lookup for hosts in libmongoc currently uses getaddrinfo. There is no way to configure a timeout for DNS from within libmongoc, but this may be configurable on a system setting. E.g. by setting the timeout option in &lt;a href=&quot;https://man7.org/linux/man-pages/man5/resolver.5.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;/etc/resolv.conf&lt;/a&gt; on Unix systems.&lt;/p&gt;

&lt;p&gt;Even if we are able to set a timeout in libmongoc, the current recommended driver behavior specified for &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/ocsp-support/ocsp-support.rst#suggested-ocsp-behavior&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;OCSP requests&lt;/a&gt; is five seconds:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;A five-second timeout SHOULD be used for the requests&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;CC &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=andreas.braun&quot; class=&quot;user-hover&quot; rel=&quot;andreas.braun&quot;&gt;andreas.braun&lt;/a&gt; in case I am incorrect. But I believe due to the PHP driver&apos;s &lt;a href=&quot;https://www.php.net/manual/en/mongodb.connection-handling.php&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;reuse of connections&lt;/a&gt;, even if establishing the initial connections have a five second delay, subsequent PHP requests would reuse those connections, and would not have to redo the TLS handshake (unless connections were closed due to a network error, etc.).&lt;/p&gt;

&lt;p&gt;So overall, if this effects users in constrained environments, I think we should determine how to set a timeout on DNS requests from within libmongoc and implement the five second timeout for OCSP DNS lookup. One possibility is using &lt;a href=&quot;https://c-ares.haxx.se/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;c-ares&lt;/a&gt;.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="2177362">CDRIVER-4522</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1452945">CDRIVER-3781</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1452200">PHPC-1671</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="276621" name="PHONGO-1599008067pCaVN6.redacted" size="95525" author="jack.alder@mongodb.com" created="Wed, 2 Sep 2020 17:57:28 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000qflpaQAA]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>CDRIVER-3870</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_21553" key="com.atlassian.jira.plugin.system.customfieldtypes:labels">
                        <customfieldname>Quarter</customfieldname>
                        <customfieldvalues>
                                        <label>FY24Q4</label>
    
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr6jk7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>