<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:21:10 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-4522] Possible improvements to mitigate negative effects of OCSP endpoint timeouts</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-4522</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;While investigating a related HELP ticket, I realized that the design of libmongoc&apos;s OCSP checks contributed to a server selection failure. This may be related to &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2480&quot; title=&quot;Mitigate negative effects of OCSP endpoint timeouts&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2480&quot;&gt;DRIVERS-2480&lt;/a&gt; (more generally mitigating issues of OCSP endpoint failures), but I wanted to create a separate issue since this does pertain to libmongoc&apos;s internals.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.1/src/libmongoc/src/mongoc/mongoc-openssl.c#L663&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;_contact_ocsp_responder()&lt;/a&gt;&#160;calls&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.1/src/libmongoc/src/mongoc/mongoc-http.c#L47&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;_mongoc_http_send()&lt;/a&gt;, which uses&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.1/src/libmongoc/src/mongoc/mongoc-client.c#L644&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongoc_client_connect_tcp()&lt;/a&gt;. That&apos;s a common function also used to establish MongoDB server connections. Within that function, there is a call &lt;a href=&quot;https://linux.die.net/man/3/getaddrinfo&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;getaddrinfo(3)&lt;/a&gt; for DNS resolution followed by a loop across its results until a successful socket connection is established. Each of those attempts uses the original timeout (i.e. five seconds for OCSP). The trace logs in the related HELP ticket don&apos;t reveal the DNS results that were attempted, but we do see that the first two attempts exhausted their five second timeout and the last two failed quickly with &quot;101 Network is unreachable&quot; errors.&lt;/p&gt;

&lt;p&gt;A combination of factors contributed to the OP&apos;s error of not being able to connect to their cluster due to an inaccessible OCSP endpoint:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;DNS resolution on the OCSP hostname prompted libmongoc to make several connection attempts, which are not parallelized.&lt;/li&gt;
	&lt;li&gt;A five-second delay on two or more OCSP hosts is sufficient to exhaust the default 10-second connection timeout.&lt;/li&gt;
	&lt;li&gt;Multiple MongoDB hosts from the initial SRV lookup aren&apos;t directly responsible for connection timeouts, but they do exacerbate the situation by making it more likely to exhaust the 30-second server selection timeout (vs. a single-host seed list that might fail after 10 seconds).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;With respect to libmongoc, I have the following questions:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Should the timeout option for mongoc_client_connect_tcp apply across all attempts instead of for each? Would this even be worth considering in light of upcoming client-side operation timeout work (&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3786&quot; title=&quot;Client Side Operations Timeout&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3786&quot;&gt;CDRIVER-3786&lt;/a&gt;)?&lt;/li&gt;
	&lt;li&gt;More generally, would it be feasible to parallelize connection attempts in mongoc_client_connect_tcp? That could be wasteful for the &quot;good&quot; path since the function only needs to establish a single stream.&lt;/li&gt;
	&lt;li&gt;Is there any way to parallelize OCSP checks (assuming it&apos;s worth doing)? I&apos;ll note that OpenSSL TLS handshakes were made non-blocking in libmongoc 1.10 by &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-1956&quot; title=&quot;Topology scanner&amp;#39;s SSL handshake is blocking&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-1956&quot;&gt;&lt;del&gt;CDRIVER-1956&lt;/del&gt;&lt;/a&gt; (other implementations such as Secure Transport are still blocking per &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2885&quot; title=&quot;Topology scanner&amp;#39;s SSL handshake is blocking for secure transport&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2885&quot;&gt;CDRIVER-2885&lt;/a&gt;), but that pre-dated any OCSP work.&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="2177362">CDRIVER-4522</key>
            <summary>Possible improvements to mitigate negative effects of OCSP endpoint timeouts</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jmikola@mongodb.com">Jeremy Mikola</reporter>
                        <labels>
                    </labels>
                <created>Tue, 8 Nov 2022 04:19:49 +0000</created>
                <updated>Tue, 15 Nov 2022 08:38:19 +0000</updated>
                                                                            <component>OCSP</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                    <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1460345">CDRIVER-3788</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1452945">CDRIVER-3781</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1452200">PHPC-1671</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="2166102">DRIVERS-2480</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i0ztdc:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>