From fef0c3a59f8f84b143dd31e48fbd70890998cf89 Mon Sep 17 00:00:00 2001
From: Erwin Pe <erwin.pe@mongodb.com>
Date: Tue, 17 Aug 2021 01:07:55 +0000
Subject: SERVER-47804 On Windows, warn user about slow OCSP responses

---
 src/mongo/util/net/ssl_manager_windows.cpp |  7 +++++++
 src/mongo/util/net/ssl_parameters.idl      | 10 ++++++++++
 2 files changed, 17 insertions(+)

(limited to 'src/mongo/util/net')

diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 4e9e6666faa..e7e212160cd 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1745,6 +1745,7 @@ Status validatePeerCertificate(const std::string& remoteHost,
 
     certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000;
 
+    auto before = Date_t::now();
     PCCERT_CHAIN_CONTEXT chainContext;
     BOOL ret = CertGetCertificateChain(certChainEngine,
                                        cert,
@@ -1761,6 +1762,12 @@ Status validatePeerCertificate(const std::string& remoteHost,
                           << "CertGetCertificateChain failed: " << errnoWithDescription(gle));
     }
 
+    auto after = Date_t::now();
+    auto elapsed = after - before;
+    if (elapsed > Seconds(gTLSOCSPSlowResponderWarningSecs)) {
+        LOGV2_WARNING(4780400, "OCSP responder was slow to respond", "duration"_attr = elapsed);
+    }
+
     UniqueCertChain certChainHolder(chainContext);
 
     SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslCertChainPolicy;
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
index 92fa55c4aab..c0cc5ca2c63 100644
--- a/src/mongo/util/net/ssl_parameters.idl
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -102,6 +102,16 @@ server_parameters:
     cpp_varname: "gTLSOCSPStaplingTimeoutSecs"
     validator:
       gte: 1
+  tlsOCSPSlowResponderWarningSecs:
+    description: >-
+       How long to wait for an OCSP response before logging a
+       warning message indicating that the responder is slow.
+    set_at: startup
+    cpp_vartype: int
+    default: 5
+    cpp_varname: "gTLSOCSPSlowResponderWarningSecs"
+    validator:
+      gte: 1
 
   opensslCipherConfig:
     description: "Cipher configuration string for OpenSSL based TLS connections"
-- 
cgit v1.2.1