SERVER-47804 On Windows, warn user about slow OCSP responses

2 files changed, 17 insertions, 0 deletions

diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 4e9e6666faa..e7e212160cd 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1745,6 +1745,7 @@ Status validatePeerCertificate(const std::string& remoteHost,
 
     certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000;
 
+    auto before = Date_t::now();
     PCCERT_CHAIN_CONTEXT chainContext;
     BOOL ret = CertGetCertificateChain(certChainEngine,
                                        cert,
@@ -1761,6 +1762,12 @@ Status validatePeerCertificate(const std::string& remoteHost,
                           << "CertGetCertificateChain failed: " << errnoWithDescription(gle));
     }
 
+    auto after = Date_t::now();
+    auto elapsed = after - before;
+    if (elapsed > Seconds(gTLSOCSPSlowResponderWarningSecs)) {
+        LOGV2_WARNING(4780400, "OCSP responder was slow to respond", "duration"_attr = elapsed);
+    }
+
     UniqueCertChain certChainHolder(chainContext);
 
     SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslCertChainPolicy;
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
index 92fa55c4aab..c0cc5ca2c63 100644
--- a/src/mongo/util/net/ssl_parameters.idl
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -102,6 +102,16 @@ server_parameters:
     cpp_varname: "gTLSOCSPStaplingTimeoutSecs"
     validator:
       gte: 1
+  tlsOCSPSlowResponderWarningSecs:
+    description: >-
+       How long to wait for an OCSP response before logging a
+       warning message indicating that the responder is slow.
+    set_at: startup
+    cpp_vartype: int
+    default: 5
+    cpp_varname: "gTLSOCSPSlowResponderWarningSecs"
+    validator:
+      gte: 1
 
   opensslCipherConfig:
     description: "Cipher configuration string for OpenSSL based TLS connections"