diff options
author | Erwin Pe <erwin.pe@mongodb.com> | 2021-08-17 01:07:55 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-08-17 01:37:24 +0000 |
commit | fef0c3a59f8f84b143dd31e48fbd70890998cf89 (patch) | |
tree | 4ffe0a02131d26a0034e2d5ce5e7864c7e325836 /src/mongo/util/net | |
parent | 0028db3e9c096e2196e66b1181f5e3c33cc435a3 (diff) | |
download | mongo-fef0c3a59f8f84b143dd31e48fbd70890998cf89.tar.gz |
SERVER-47804 On Windows, warn user about slow OCSP responses
Diffstat (limited to 'src/mongo/util/net')
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 7 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_parameters.idl | 10 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 4e9e6666faa..e7e212160cd 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1745,6 +1745,7 @@ Status validatePeerCertificate(const std::string& remoteHost, certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000; + auto before = Date_t::now(); PCCERT_CHAIN_CONTEXT chainContext; BOOL ret = CertGetCertificateChain(certChainEngine, cert, @@ -1761,6 +1762,12 @@ Status validatePeerCertificate(const std::string& remoteHost, << "CertGetCertificateChain failed: " << errnoWithDescription(gle)); } + auto after = Date_t::now(); + auto elapsed = after - before; + if (elapsed > Seconds(gTLSOCSPSlowResponderWarningSecs)) { + LOGV2_WARNING(4780400, "OCSP responder was slow to respond", "duration"_attr = elapsed); + } + UniqueCertChain certChainHolder(chainContext); SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslCertChainPolicy; diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl index 92fa55c4aab..c0cc5ca2c63 100644 --- a/src/mongo/util/net/ssl_parameters.idl +++ b/src/mongo/util/net/ssl_parameters.idl @@ -102,6 +102,16 @@ server_parameters: cpp_varname: "gTLSOCSPStaplingTimeoutSecs" validator: gte: 1 + tlsOCSPSlowResponderWarningSecs: + description: >- + How long to wait for an OCSP response before logging a + warning message indicating that the responder is slow. + set_at: startup + cpp_vartype: int + default: 5 + cpp_varname: "gTLSOCSPSlowResponderWarningSecs" + validator: + gte: 1 opensslCipherConfig: description: "Cipher configuration string for OpenSSL based TLS connections" |