SERVER-47804 On Windows, warn user about slow OCSP responses

4 files changed, 28 insertions, 4 deletions

diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp
index 60d6cae2e24..c1b40a323e5 100644
--- a/src/mongo/shell/shell_options.cpp
+++ b/src/mongo/shell/shell_options.cpp
@@ -70,6 +70,7 @@ const std::set<std::string> kSetShellParameterAllowlist = {
     "disabledSecureAllocatorDomains",
     "newLineAfterPasswordPromptForTest",
     "skipShellCursorFinalize",
+    "tlsOCSPSlowResponderWarningSecs",
 };
 
 std::string getMongoShellHelp(StringData name, const moe::OptionSection& options) {
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 4e9e6666faa..e7e212160cd 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1745,6 +1745,7 @@ Status validatePeerCertificate(const std::string& remoteHost,
 
     certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000;
 
+    auto before = Date_t::now();
     PCCERT_CHAIN_CONTEXT chainContext;
     BOOL ret = CertGetCertificateChain(certChainEngine,
                                        cert,
@@ -1761,6 +1762,12 @@ Status validatePeerCertificate(const std::string& remoteHost,
                           << "CertGetCertificateChain failed: " << errnoWithDescription(gle));
     }
 
+    auto after = Date_t::now();
+    auto elapsed = after - before;
+    if (elapsed > Seconds(gTLSOCSPSlowResponderWarningSecs)) {
+        LOGV2_WARNING(4780400, "OCSP responder was slow to respond", "duration"_attr = elapsed);
+    }
+
     UniqueCertChain certChainHolder(chainContext);
 
     SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslCertChainPolicy;
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
index 92fa55c4aab..c0cc5ca2c63 100644
--- a/src/mongo/util/net/ssl_parameters.idl
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -102,6 +102,16 @@ server_parameters:
     cpp_varname: "gTLSOCSPStaplingTimeoutSecs"
     validator:
       gte: 1
+  tlsOCSPSlowResponderWarningSecs:
+    description: >-
+       How long to wait for an OCSP response before logging a
+       warning message indicating that the responder is slow.
+    set_at: startup
+    cpp_vartype: int
+    default: 5
+    cpp_varname: "gTLSOCSPSlowResponderWarningSecs"
+    validator:
+      gte: 1
 
   opensslCipherConfig:
     description: "Cipher configuration string for OpenSSL based TLS connections"
diff --git a/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py b/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py
index 236b14519df..1aee2990fcc 100644
--- a/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py
+++ b/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py
@@ -48,6 +48,7 @@ import re
 import enum
 import sys
 import textwrap
+import time
 from datetime import datetime, timezone, timedelta
 from typing import Callable, Tuple, Optional
 
@@ -452,7 +453,7 @@ app = Flask(__name__)
 class OCSPResponder:
 
     def __init__(self, issuer_cert: str, responder_cert: str, responder_key: str,
-                       fault: str, next_update_seconds: int):
+            fault: str, next_update_seconds: int, response_delay_seconds: int):
         """
         Create a new OCSPResponder instance.
 
@@ -468,7 +469,7 @@ class OCSPResponder:
             will return the corresponding certificate as a string.
         :param next_update_seconds: The ``nextUpdate`` value that will be written
             into the response. Default: 9 hours.
-
+        :param response_delay_seconds: Delays the HTTP response by this many seconds.
         """
         # Certs and keys
         self._issuer_cert = asymmetric.load_certificate(issuer_cert)
@@ -480,6 +481,8 @@ class OCSPResponder:
 
         self._fault = fault
 
+        self._response_delay_seconds = response_delay_seconds
+
     def _fail(self, status: ResponseStatus) -> OCSPResponse:
         builder = OCSPResponseBuilder(response_status=status.value)
         return builder.build()
@@ -572,6 +575,9 @@ class OCSPResponder:
     def build_http_response(self, request_der: bytes) -> Response:
         global app
         response_der = self._build_ocsp_response(request_der).dump()
+        if self._response_delay_seconds > 0:
+           logger.warning("Delaying OCSP response by " + str(self._response_delay_seconds) + " seconds")
+           time.sleep(self._response_delay_seconds)
         resp = app.make_response((response_der, 200))
         resp.headers['content_type'] = 'application/ocsp-response'
         return resp
@@ -579,9 +585,9 @@ class OCSPResponder:
 
 responder = None
 
-def init_responder(issuer_cert: str, responder_cert: str, responder_key: str, fault: str, next_update_seconds: int):
+def init_responder(issuer_cert: str, responder_cert: str, responder_key: str, fault: str, next_update_seconds: int, response_delay_seconds: int):
     global responder
-    responder = OCSPResponder(issuer_cert=issuer_cert, responder_cert=responder_cert, responder_key=responder_key, fault=fault, next_update_seconds=next_update_seconds)
+    responder = OCSPResponder(issuer_cert=issuer_cert, responder_cert=responder_cert, responder_key=responder_key, fault=fault, next_update_seconds=next_update_seconds, response_delay_seconds=response_delay_seconds)
 
 def init(port=8080, debug=False, host=None):
     logger.info('Launching %sserver on port %d', 'debug' if debug else '', port)