2 files changed, 95 insertions, 1 deletions

diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js
new file mode 100644
index 00000000000..b4f7ccae42b
--- /dev/null
+++ b/jstests/ocsp/ocsp_connection_type_testing.js
@@ -0,0 +1,87 @@
+// Check that OCSP verification works
+// @tags: [requires_http_client]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (determineSSLProvider() != "openssl") {
+    return;
+}
+
+let mock_ocsp = new MockOCSPServer("", 10);
+mock_ocsp.start();
+
+// Set Default timeout time to 2 minutes so test doesn't
+// run forever.
+ReplSetTest.kDefaultTimeoutMS = 1 * 30 * 1000;
+
+// We don't want to invoke the hang analyzer because we
+// expect this test to fail by timing out
+MongoRunner.runHangAnalyzer.disable();
+
+const ocsp_options = {
+    sslMode: "requireSSL",
+    sslPEMKeyFile: OCSP_SERVER_CERT,
+    sslCAFile: OCSP_CA_CERT,
+    sslAllowInvalidHostnames: "",
+    setParameter: {
+        "ocspEnabled": "true",
+    },
+};
+
+const rstest = ReplSetTest({
+    name: "OCSP Servers Test",
+    nodes: 2,
+    nodeOptions: ocsp_options,
+});
+
+rstest.startSet();
+
+mock_ocsp.stop();
+
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 10);
+mock_ocsp.start();
+
+sleep(10);
+
+assert.throws(() => {
+    rstest.initialize();
+});
+
+rstest.stopSet();
+
+mock_ocsp.stop();
+
+// The next few tests depend on stapling
+// being available.
+if (!supportsStapling()) {
+    return;
+}
+
+mock_ocsp = new MockOCSPServer();
+mock_ocsp.start();
+
+let conn = null;
+
+assert.doesNotThrow(() => {
+    conn = MongoRunner.runMongod(ocsp_options);
+});
+mock_ocsp.stop();
+
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED);
+mock_ocsp.start();
+
+// The OCSP status of the client's cert would be Revoked,
+// but because we don't want the Server to check the status
+// of the client's cert, we assert that this doesn't throw.
+assert.doesNotThrow(() => {
+    new Mongo(conn.host);
+});
+
+MongoRunner.stopMongod(conn);
+
+sleep(1000);
+mock_ocsp.stop();
+}());
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 37f320c960b..1a992f66b44 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1378,6 +1378,10 @@ constexpr int OCSP_CLIENT_RESPONSE_ERROR = -1;
 constexpr int OCSP_CLIENT_RESPONSE_ACCEPTABLE = 1;
 
 int ocspClientCallback(SSL* ssl, void* arg) {
+    if (getSSLGlobalParams().sslAllowInvalidCertificates) {
+        return OCSP_CLIENT_RESPONSE_ACCEPTABLE;
+    }
+
     const unsigned char* response_ptr = NULL;
     long length = SSL_get_tlsext_status_ocsp_resp(ssl, &response_ptr);
 
@@ -2145,7 +2149,10 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate(
     }
 
     Future<void> ocspFuture;
-    if (sslOCSPEnabled) {
+
+    // The check to ensure that remoteHost is empty is to ensure that we only run OCSP
+    // verification when we are a client, never as a server.
+    if (sslOCSPEnabled && !remoteHost.empty() && !_allowInvalidCertificates) {
         ocspFuture = ocspClientVerification(conn);
     }