<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:25:41 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-2480] Mitigate negative effects of OCSP endpoint timeouts</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-2480</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #fafbfc;border-color: #21313c;border-style: solid;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #fafbfc;&quot;&gt;
&lt;h3&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;&lt;b&gt;Summary&lt;/b&gt;&lt;/h3&gt;
&lt;p&gt;When OCSP stapling is unavailable, drivers may attempt to contact one or more OCSP endpoints. Per &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/ocsp-support/ocsp-support.rst#id1&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Suggested OCSP Behavior&lt;/a&gt;, the default timeout is five seconds.&lt;/p&gt;

&lt;p&gt;Drivers use &lt;tt&gt;connectTimeoutMS&lt;/tt&gt; as the timeout for connection handshake (&lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/server-discovery-and-monitoring/server-monitoring.rst#socket-timeout&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Server Monitoring spec&lt;/a&gt;) and the handshake includes TLS (&lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/mongodb-handshake/handshake.rst#example-implementation&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Handshake spec&lt;/a&gt;). Therefore, an inaccessible OCSP endpoint could add five seconds to the handshake.&lt;/p&gt;

&lt;p&gt;If the application is using a smaller &lt;tt&gt;connectTimeoutMS&lt;/tt&gt; value, an inaccessible OCSP endpoint could prevent the driver from establishing a connection to the server. This is irrespective of whether a driver has &quot;soft fail&quot; behavior (i.e. TLS continues if OCSP cannot complete). Drivers with &quot;soft fail&quot; behavior would allow the connection to continue after hitting an OCSP timeout, but only if &lt;tt&gt;connectTimeoutMS&lt;/tt&gt; has not been exhausted.&lt;/p&gt;

&lt;p&gt;When this was observed in a customer report involving the PHP driver, there was originally no indication that TLS/OCSP was involved, as the problem manifested itself as a server selection failure due to a socket timeout attempting to establish a connection. We ultimately confirmed the issue thanks to libmongoc trace logs &lt;/p&gt;

&lt;p&gt;There are several courses of action we might consider to address this:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Allow OCSP timeouts to be configurable (if supported by a driver&apos;s TLS library)&lt;/li&gt;
	&lt;li&gt;Provide documentation to educate users on the interaction between OCSP and connection timeouts. If OCSP timeouts cannot be configured, users should be aware that the five second default might exhaust &lt;tt&gt;connectTimeoutMS&lt;/tt&gt;&lt;/li&gt;
	&lt;li&gt;Note that that &lt;tt&gt;tlsDisableOCSPEndpointCheck&lt;/tt&gt; and &lt;tt&gt;tlsDisableCertificateRevocationCheck&lt;/tt&gt; may be used to work around this issue. In the related PHP issue, the customer used &lt;tt&gt;tlsAllowInvalidCertificates&lt;/tt&gt;, which is unadvisable because it disables much more than OCSP.&lt;/li&gt;
	&lt;li&gt;Add logging for OCSP. There is presently no ticket to add log messages to the OCSP spec (see: &lt;a href=&quot;https://jira.mongodb.org/issues/?jql=project%20%3D%20DRIVERS%20AND%20component%20%3D%20Logging&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;Logging component&lt;/a&gt; and linked issues in &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-1204&quot; title=&quot;Easier debugging with standardized logging&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-1204&quot;&gt;DRIVERS-1204&lt;/a&gt;).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Note: the &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/client-side-operations-timeout/client-side-operations-timeout.rst&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Client Side Operations Timeout&lt;/a&gt; spec may influence OCSP timeouts; however, even if OCSP timeouts &lt;em&gt;are&lt;/em&gt; configurable (and will dynamically scales down based on the remaining &lt;tt&gt;timeoutMS&lt;/tt&gt;), I think we&apos;d still face an issue with exposing the source of the timeout. In that case, action items for documentation and logging may still be worth addressing.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;Motivation&quot;&gt;&lt;/a&gt;&lt;b&gt;Motivation&lt;/b&gt;&lt;/h3&gt;
&lt;h4&gt;&lt;a name=&quot;Whoistheaffectedenduser%3F&quot;&gt;&lt;/a&gt;Who is the affected end user?&lt;/h4&gt;
&lt;p&gt;Applications using TLS with OCSP but without OCSP stapling.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Howdoesthisaffecttheenduser%3F&quot;&gt;&lt;/a&gt;How does this affect the end user?&lt;/h4&gt;
&lt;p&gt;OCSP timeouts could prevent the driver from making server connections by exhausting the connection timeout.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Howlikelyisitthatthisproblemorusecasewilloccur%3F&quot;&gt;&lt;/a&gt;How likely is it that this problem or use case will occur?&lt;/h4&gt;
&lt;p&gt;This is rare, but could happen due to many factors: app server firewall preventing outgoing HTTP requests, OCSP server experiencing downtime, high latency contacting the OCSP server.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Iftheproblemdoesoccur%2Cwhataretheconsequencesandhowseverearethey%3F&quot;&gt;&lt;/a&gt;If the problem does occur, what are the consequences and how severe are they?&lt;/h4&gt;
&lt;p&gt;Ranges from merely delaying a connection to preventing it entirely.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Isthisissueurgent%3F&quot;&gt;&lt;/a&gt;Is this issue urgent?&lt;/h4&gt;
&lt;p&gt;No.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Isthisticketrequiredbyadownstreamteam%3F&quot;&gt;&lt;/a&gt;Is this ticket required by a downstream team?&lt;/h4&gt;
&lt;p&gt;No.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Isthisticketonlyfortests%3F&quot;&gt;&lt;/a&gt;Is this ticket only for tests?&lt;/h4&gt;
&lt;p&gt;No.&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment></environment>
        <key id="2166102">DRIVERS-2480</key>
            <summary>Mitigate negative effects of OCSP endpoint timeouts</summary>
                <type id="14901" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14700&amp;avatarType=issuetype">Spec Change</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jmikola@mongodb.com">Jeremy Mikola</reporter>
                        <labels>
                    </labels>
                <created>Tue, 25 Oct 2022 03:04:01 +0000</created>
                <updated>Tue, 8 Nov 2022 04:19:49 +0000</updated>
                                                                <component>OCSP</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="4953832" author="kaitlin.mahar" created="Thu, 3 Nov 2022 22:37:29 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jmikola%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;jmikola@mongodb.com&quot;&gt;jmikola@mongodb.com&lt;/a&gt;, I filed and linked &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2494&quot; title=&quot;Add OCSP logging&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2494&quot;&gt;DRIVERS-2494&lt;/a&gt; to cover OCSP logging specifically.&lt;/p&gt;</comment>
                            <comment id="4926069" author="JIRAUSER1268808" created="Tue, 25 Oct 2022 16:42:55 +0000"  >&lt;p&gt;Leads Triage: Backlogging this for now, we may decide to go with the third suggested option.&lt;/p&gt;</comment>
                            <comment id="4924286" author="jmikola@gmail.com" created="Tue, 25 Oct 2022 03:06:00 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=kaitlin.mahar%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;kaitlin.mahar@mongodb.com&quot;&gt;kaitlin.mahar@mongodb.com&lt;/a&gt;: I&apos;m not sure if OCSP logging would fall under SDAM (&lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-1670&quot; title=&quot;Add log messages to SDAM spec&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-1670&quot;&gt;DRIVERS-1670&lt;/a&gt;) (as I expect the handshake spec might), but if not you may want to create a separate ticket for the OCSP and link it up here.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="2177362">CDRIVER-4522</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1326019">DRIVERS-1204</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="2174816">DRIVERS-2494</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10748"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i0xx7k:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>