diff options
author | Erwin Pe <erwin.pe@mongodb.com> | 2021-08-17 01:07:55 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-08-17 01:37:24 +0000 |
commit | fef0c3a59f8f84b143dd31e48fbd70890998cf89 (patch) | |
tree | 4ffe0a02131d26a0034e2d5ce5e7864c7e325836 /src | |
parent | 0028db3e9c096e2196e66b1181f5e3c33cc435a3 (diff) | |
download | mongo-fef0c3a59f8f84b143dd31e48fbd70890998cf89.tar.gz |
SERVER-47804 On Windows, warn user about slow OCSP responses
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/shell/shell_options.cpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 7 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_parameters.idl | 10 | ||||
-rw-r--r-- | src/third_party/mock_ocsp_responder/mock_ocsp_responder.py | 14 |
4 files changed, 28 insertions, 4 deletions
diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp index 60d6cae2e24..c1b40a323e5 100644 --- a/src/mongo/shell/shell_options.cpp +++ b/src/mongo/shell/shell_options.cpp @@ -70,6 +70,7 @@ const std::set<std::string> kSetShellParameterAllowlist = { "disabledSecureAllocatorDomains", "newLineAfterPasswordPromptForTest", "skipShellCursorFinalize", + "tlsOCSPSlowResponderWarningSecs", }; std::string getMongoShellHelp(StringData name, const moe::OptionSection& options) { diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 4e9e6666faa..e7e212160cd 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1745,6 +1745,7 @@ Status validatePeerCertificate(const std::string& remoteHost, certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000; + auto before = Date_t::now(); PCCERT_CHAIN_CONTEXT chainContext; BOOL ret = CertGetCertificateChain(certChainEngine, cert, @@ -1761,6 +1762,12 @@ Status validatePeerCertificate(const std::string& remoteHost, << "CertGetCertificateChain failed: " << errnoWithDescription(gle)); } + auto after = Date_t::now(); + auto elapsed = after - before; + if (elapsed > Seconds(gTLSOCSPSlowResponderWarningSecs)) { + LOGV2_WARNING(4780400, "OCSP responder was slow to respond", "duration"_attr = elapsed); + } + UniqueCertChain certChainHolder(chainContext); SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslCertChainPolicy; diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl index 92fa55c4aab..c0cc5ca2c63 100644 --- a/src/mongo/util/net/ssl_parameters.idl +++ b/src/mongo/util/net/ssl_parameters.idl @@ -102,6 +102,16 @@ server_parameters: cpp_varname: "gTLSOCSPStaplingTimeoutSecs" validator: gte: 1 + tlsOCSPSlowResponderWarningSecs: + description: >- + How long to wait for an OCSP response before logging a + warning message indicating that the responder is slow. + set_at: startup + cpp_vartype: int + default: 5 + cpp_varname: "gTLSOCSPSlowResponderWarningSecs" + validator: + gte: 1 opensslCipherConfig: description: "Cipher configuration string for OpenSSL based TLS connections" diff --git a/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py b/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py index 236b14519df..1aee2990fcc 100644 --- a/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py +++ b/src/third_party/mock_ocsp_responder/mock_ocsp_responder.py @@ -48,6 +48,7 @@ import re import enum import sys import textwrap +import time from datetime import datetime, timezone, timedelta from typing import Callable, Tuple, Optional @@ -452,7 +453,7 @@ app = Flask(__name__) class OCSPResponder: def __init__(self, issuer_cert: str, responder_cert: str, responder_key: str, - fault: str, next_update_seconds: int): + fault: str, next_update_seconds: int, response_delay_seconds: int): """ Create a new OCSPResponder instance. @@ -468,7 +469,7 @@ class OCSPResponder: will return the corresponding certificate as a string. :param next_update_seconds: The ``nextUpdate`` value that will be written into the response. Default: 9 hours. - + :param response_delay_seconds: Delays the HTTP response by this many seconds. """ # Certs and keys self._issuer_cert = asymmetric.load_certificate(issuer_cert) @@ -480,6 +481,8 @@ class OCSPResponder: self._fault = fault + self._response_delay_seconds = response_delay_seconds + def _fail(self, status: ResponseStatus) -> OCSPResponse: builder = OCSPResponseBuilder(response_status=status.value) return builder.build() @@ -572,6 +575,9 @@ class OCSPResponder: def build_http_response(self, request_der: bytes) -> Response: global app response_der = self._build_ocsp_response(request_der).dump() + if self._response_delay_seconds > 0: + logger.warning("Delaying OCSP response by " + str(self._response_delay_seconds) + " seconds") + time.sleep(self._response_delay_seconds) resp = app.make_response((response_der, 200)) resp.headers['content_type'] = 'application/ocsp-response' return resp @@ -579,9 +585,9 @@ class OCSPResponder: responder = None -def init_responder(issuer_cert: str, responder_cert: str, responder_key: str, fault: str, next_update_seconds: int): +def init_responder(issuer_cert: str, responder_cert: str, responder_key: str, fault: str, next_update_seconds: int, response_delay_seconds: int): global responder - responder = OCSPResponder(issuer_cert=issuer_cert, responder_cert=responder_cert, responder_key=responder_key, fault=fault, next_update_seconds=next_update_seconds) + responder = OCSPResponder(issuer_cert=issuer_cert, responder_cert=responder_cert, responder_key=responder_key, fault=fault, next_update_seconds=next_update_seconds, response_delay_seconds=response_delay_seconds) def init(port=8080, debug=False, host=None): logger.info('Launching %sserver on port %d', 'debug' if debug else '', port) |