diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-11-09 10:28:09 -0800 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-11-11 05:57:44 +0000 |
commit | 3f3225b4cb8d1ee0a83191a922828b7031b45db5 (patch) | |
tree | b1c2e14ba5fb664f816e820554243d5b379d62ad | |
parent | 7d9b94d035708516ef4a3f1fc0376543138df090 (diff) | |
download | mongo-3f3225b4cb8d1ee0a83191a922828b7031b45db5.tar.gz |
SERVER-46729 Make Windows shell soft-fail for unavailable OCSP responder
(cherry picked from commit 9dcfaa1261cf847e6692269e77dd5ad4c14324e9)
(cherry picked from commit b6fb02d5780247fa294c1f5cc432a80722b4c21a)
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 3c59ab008ff..2a52552b0a5 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1289,8 +1289,8 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _clientEngine.CAstore = std::move(swChain.getValue()); - _clientEngine.hasCRL = !params.sslCRLFile.empty(); } + _clientEngine.hasCRL = !params.sslCRLFile.empty(); const auto serverCAFile = params.sslClusterCAFile.empty() ? params.sslCAFile : params.sslClusterCAFile; @@ -1301,8 +1301,8 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _serverEngine.CAstore = std::move(swChain.getValue()); - _serverEngine.hasCRL = !params.sslCRLFile.empty(); } + _serverEngine.hasCRL = !params.sslCRLFile.empty(); if (hasCertificateSelector(params.sslCertificateSelector)) { auto swCert = loadAndValidateCertificateSelector(params.sslCertificateSelector); @@ -1690,6 +1690,10 @@ Status validatePeerCertificate(const std::string& remoteHost, chain_policy_para.cbSize = sizeof(chain_policy_para); chain_policy_para.pvExtraPolicyPara = &sslCertChainPolicy; + if (!hasCRL) { + chain_policy_para.dwFlags |= CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS; + } + CERT_CHAIN_POLICY_STATUS certChainPolicyStatus; memset(&certChainPolicyStatus, 0, sizeof(certChainPolicyStatus)); certChainPolicyStatus.cbSize = sizeof(certChainPolicyStatus); |