summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/mongo/shell/shell_options.cpp1
-rw-r--r--src/mongo/util/net/ocsp/ocsp_manager.cpp56
-rw-r--r--src/mongo/util/net/ocsp/ocsp_manager.h11
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp18
-rw-r--r--src/mongo/util/net/ssl_manager_windows.cpp2
-rw-r--r--src/mongo/util/net/ssl_parameters.idl21
6 files changed, 80 insertions, 29 deletions
diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp
index 4cd0fb791d9..2365462e317 100644
--- a/src/mongo/shell/shell_options.cpp
+++ b/src/mongo/shell/shell_options.cpp
@@ -65,6 +65,7 @@ const std::set<std::string> kSetShellParameterWhitelist = {
"awsEC2InstanceMetadataUrl",
"awsECSInstanceMetadataUrl",
"ocspEnabled",
+ "ocspClientHttpTimeoutSecs",
"disabledSecureAllocatorDomains",
"newLineAfterPasswordPromptForTest",
"skipShellCursorFinalize",
diff --git a/src/mongo/util/net/ocsp/ocsp_manager.cpp b/src/mongo/util/net/ocsp/ocsp_manager.cpp
index 11ebf085bde..9b0a2e517c7 100644
--- a/src/mongo/util/net/ocsp/ocsp_manager.cpp
+++ b/src/mongo/util/net/ocsp/ocsp_manager.cpp
@@ -32,6 +32,7 @@
#include "mongo/db/client.h"
#include "mongo/executor/network_interface_factory.h"
#include "mongo/util/net/ocsp/ocsp_manager.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
namespace mongo {
@@ -52,14 +53,24 @@ auto makeTaskExecutor() {
OCSPManager::OCSPManager() {
_pool = makeTaskExecutor();
- _client = HttpClient::create();
- if (!_client) {
+ this->_tlsServerHttp = HttpClient::create();
+ this->_tlsClientHttp = HttpClient::create();
+
+ if (!this->_tlsServerHttp) {
return;
}
- _client->allowInsecureHTTP(true);
- _client->setTimeout(kOCSPRequestTimeoutSeconds);
- _client->setHeaders({"Content-Type: application/ocsp-request"});
+ this->_tlsClientHttp->allowInsecureHTTP(true);
+ this->_tlsClientHttp->setTimeout(Seconds(gTLSOCSPVerifyTimeoutSecs));
+ this->_tlsClientHttp->setHeaders({"Content-Type: application/ocsp-request"});
+
+ this->_tlsServerHttp->allowInsecureHTTP(true);
+ if (gTLSOCSPStaplingTimeoutSecs < 0) {
+ this->_tlsServerHttp->setTimeout(Seconds(gTLSOCSPVerifyTimeoutSecs));
+ } else {
+ this->_tlsServerHttp->setTimeout(Seconds(gTLSOCSPStaplingTimeoutSecs));
+ }
+ this->_tlsServerHttp->setHeaders({"Content-Type: application/ocsp-request"});
}
void OCSPManager::startThreadPool() {
@@ -73,8 +84,9 @@ void OCSPManager::startThreadPool() {
* Returns a vector of bytes to be constructed into a OCSP response.
*/
Future<std::vector<uint8_t>> OCSPManager::requestStatus(std::vector<uint8_t> data,
- StringData responderURI) {
- if (!this->_client) {
+ StringData responderURI,
+ OCSPPurpose purpose) {
+ if (!this->_tlsClientHttp || !this->_tlsServerHttp) {
return Future<std::vector<uint8_t>>::makeReady(
Status(ErrorCodes::InternalErrorNotSupported, "HTTP Client not supported"));
}
@@ -82,19 +94,23 @@ Future<std::vector<uint8_t>> OCSPManager::requestStatus(std::vector<uint8_t> dat
auto pf = makePromiseFuture<DataBuilder>();
std::string uri("http://" + responderURI);
- _pool->schedule(
- [this, promise = std::move(pf.promise), uri = std::move(uri), data = std::move(data)](
- auto status) mutable {
- if (!status.isOK()) {
- return;
- }
- try {
- auto result = this->_client->post(uri, data);
- promise.emplaceValue(std::move(result));
- } catch (...) {
- promise.setError(exceptionToStatus());
- }
- });
+ _pool->schedule([this,
+ purpose,
+ promise = std::move(pf.promise),
+ uri = std::move(uri),
+ data = std::move(data)](auto status) mutable {
+ if (!status.isOK()) {
+ return;
+ }
+ try {
+ const auto& client =
+ purpose == OCSPPurpose::kClientVerify ? this->_tlsClientHttp : this->_tlsServerHttp;
+ auto result = client->post(uri, data);
+ promise.emplaceValue(std::move(result));
+ } catch (...) {
+ promise.setError(exceptionToStatus());
+ }
+ });
return std::move(pf.future).then(
[](DataBuilder dataBuilder) mutable -> Future<std::vector<uint8_t>> {
diff --git a/src/mongo/util/net/ocsp/ocsp_manager.h b/src/mongo/util/net/ocsp/ocsp_manager.h
index e392b5e0a12..674e3b5476b 100644
--- a/src/mongo/util/net/ocsp/ocsp_manager.h
+++ b/src/mongo/util/net/ocsp/ocsp_manager.h
@@ -38,7 +38,8 @@
namespace mongo {
-constexpr Seconds kOCSPRequestTimeoutSeconds(5);
+enum class OCSPPurpose { kClientVerify, kStaple };
+
class OCSPManager {
public:
@@ -50,12 +51,16 @@ public:
return &manager;
};
- Future<std::vector<uint8_t>> requestStatus(std::vector<uint8_t> data, StringData responderURI);
+ Future<std::vector<uint8_t>> requestStatus(std::vector<uint8_t> data,
+ StringData responderURI,
+ OCSPPurpose direction);
void startThreadPool();
private:
- std::unique_ptr<HttpClient> _client;
+ std::unique_ptr<HttpClient> _tlsClientHttp;
+ std::unique_ptr<HttpClient> _tlsServerHttp;
+
std::unique_ptr<ThreadPool> _pool;
};
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 67f29f435a9..7d678f0d1c5 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -693,7 +693,8 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap(
}
Future<UniqueOCSPResponse> retrieveOCSPResponse(const std::string& host,
- OCSPRequestAndIDs& ocspRequestAndIDs) {
+ OCSPRequestAndIDs& ocspRequestAndIDs,
+ OCSPPurpose purpose) {
auto& [ocspReq, certIDs] = ocspRequestAndIDs;
// Decompose the OCSP request into a DER encoded OCSP request
@@ -711,7 +712,7 @@ Future<UniqueOCSPResponse> retrieveOCSPResponse(const std::string& host,
// Query the OCSP responder
return OCSPManager::get()
- ->requestStatus(buffer, host)
+ ->requestStatus(buffer, host, purpose)
.then([](std::vector<uint8_t> responseData) mutable -> StatusWith<UniqueOCSPResponse> {
const uint8_t* respDataPtr = responseData.data();
@@ -824,7 +825,8 @@ StatusWith<std::pair<OCSPCertIDSet, Date_t>> parseAndValidateOCSPResponse(
Future<OCSPFetchResponse> dispatchRequests(SSL_CTX* context,
std::shared_ptr<STACK_OF(X509)> intermediateCerts,
- OCSPValidationContext& ocspContext) {
+ OCSPValidationContext& ocspContext,
+ OCSPPurpose purpose) {
auto& [ocspRequestMap, _, leafResponders] = ocspContext;
struct OCSPCompletionState {
@@ -844,7 +846,8 @@ Future<OCSPFetchResponse> dispatchRequests(SSL_CTX* context,
for (auto host : leafResponders) {
auto& ocspRequestAndIDs = ocspRequestMap[host];
- Future<UniqueOCSPResponse> futureResponse = retrieveOCSPResponse(host, ocspRequestAndIDs);
+ Future<UniqueOCSPResponse> futureResponse =
+ retrieveOCSPResponse(host, ocspRequestAndIDs, purpose);
futureResponses.push_back(std::move(futureResponse));
};
@@ -965,7 +968,9 @@ private:
auto ocspContext = std::move(swOCSPContext.getValue());
auto swResponse =
- dispatchRequests(key.context, key.intermediateCerts, ocspContext).getNoThrow();
+ dispatchRequests(
+ key.context, key.intermediateCerts, ocspContext, OCSPPurpose::kClientVerify)
+ .getNoThrow();
if (!swResponse.isOK()) {
return boost::none;
}
@@ -1753,7 +1758,8 @@ Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
auto ocspContext = std::move(swOCSPContext.getValue());
- return dispatchRequests(context, std::move(intermediateCerts), ocspContext)
+ return dispatchRequests(
+ context, std::move(intermediateCerts), ocspContext, OCSPPurpose::kStaple)
.onCompletion([](StatusWith<OCSPFetchResponse> swResponse) -> Milliseconds {
if (!swResponse.isOK()) {
LOGV2_WARNING(23233, "Could not staple OCSP response to outgoing certificate.");
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index cab3f2780ae..45b7267e48e 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1708,6 +1708,8 @@ Status validatePeerCertificate(const std::string& remoteHost,
certChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = usage;
}
+ certChainPara.dwUrlRetrievalTimeout = kTLSClientOCSPTimeoutSecs * 1000;
+
PCCERT_CHAIN_CONTEXT chainContext;
BOOL ret = CertGetCertificateChain(certChainEngine,
cert,
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
index 3a106ec54a8..76929f4c31b 100644
--- a/src/mongo/util/net/ssl_parameters.idl
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -80,6 +80,27 @@ server_parameters:
cpp_varname: "kOCSPValidationRefreshPeriodSecs"
validator:
gte: 1
+ tlsOCSPVerifyTimeoutSecs:
+ description: >-
+ How long the http client should wait before timing out
+ when fetching OCSP Responses for peer certificate
+ set_at: startup
+ cpp_vartype: int
+ default: 5
+ cpp_varname: "gTLSOCSPVerifyTimeoutSecs"
+ validator:
+ gte: 1
+ tlsOCSPStaplingTimeoutSecs:
+ description: >-
+ How long the http client should wait before timing out
+ when fetching OCSP Responses for stapling. If not set,
+ value is taken from tlsClientOCSPTimeoutSecs
+ set_at: startup
+ cpp_vartype: int
+ default: -1
+ cpp_varname: "gTLSOCSPStaplingTimeoutSecs"
+ validator:
+ gte: 1
opensslCipherConfig:
description: "Cipher configuration string for OpenSSL based TLS connections"