diff options
| author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-04-30 21:17:33 -0700 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-05-07 18:36:39 +0000 |
| commit | 9dcfaa1261cf847e6692269e77dd5ad4c14324e9 (patch) | |
| tree | 541fd5c07ead6dfd91f9d7f78344e4a27611ce7d | |
| parent | 0c2d3d87cb5a6ccf1e32394633ff68ac92d3811f (diff) | |
| download | mongo-9dcfaa1261cf847e6692269e77dd5ad4c14324e9.tar.gz | |
SERVER-46729 Make Windows shell soft-fail for unavailable OCSP responder
| -rw-r--r-- | jstests/ocsp/ocsp_basic.js | 10 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 8 |
2 files changed, 16 insertions, 2 deletions
diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js index c8a635dace9..1ad966497fe 100644 --- a/jstests/ocsp/ocsp_basic.js +++ b/jstests/ocsp/ocsp_basic.js @@ -57,8 +57,18 @@ if (determineSSLProvider() === "apple") { return; } +clearOCSPCache(); + +// Give time for the OCSP cache to clean up. +sleep(1000); + +// Test that soft fail works. ocsp_options.sslPEMKeyFile = OCSP_SERVER_CERT; +assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); +}); + clearOCSPCache(); mock_ocsp = new MockOCSPServer("", 1); diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 7dba187e380..cab3f2780ae 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1290,8 +1290,8 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _clientEngine.CAstore = std::move(swChain.getValue()); - _clientEngine.hasCRL = !params.sslCRLFile.empty(); } + _clientEngine.hasCRL = !params.sslCRLFile.empty(); const auto serverCAFile = params.sslClusterCAFile.empty() ? params.sslCAFile : params.sslClusterCAFile; @@ -1302,8 +1302,8 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _serverEngine.CAstore = std::move(swChain.getValue()); - _serverEngine.hasCRL = !params.sslCRLFile.empty(); } + _serverEngine.hasCRL = !params.sslCRLFile.empty(); if (hasCertificateSelector(params.sslCertificateSelector)) { auto swCert = loadAndValidateCertificateSelector(params.sslCertificateSelector); @@ -1747,6 +1747,10 @@ Status validatePeerCertificate(const std::string& remoteHost, chain_policy_para.cbSize = sizeof(chain_policy_para); chain_policy_para.pvExtraPolicyPara = &sslCertChainPolicy; + if (!hasCRL) { + chain_policy_para.dwFlags |= CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS; + } + CERT_CHAIN_POLICY_STATUS certChainPolicyStatus; memset(&certChainPolicyStatus, 0, sizeof(certChainPolicyStatus)); certChainPolicyStatus.cbSize = sizeof(certChainPolicyStatus); |