-
Type: Task
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: OCSP
-
None
The OCSP cache should replace existing entries with new responses if the new responses have a nextUpdate time greater than the cached response. This is to match the OCSP spec's recommended behavior:
If a driver would accept a stapled OCSP response and that response has a later nextUpdate than the response already in the cache, drivers SHOULD replace the older entry in the cache with the fresher response.
To do the time comparison, ASN1_TIME_compare is used, which was added in OpenSSL 1.1.1.
To support OCSP in older version of OpenSSL, the cache bypasses this comparison. This means in OpenSSL pre-1.1.1 newer responses with a later nextUpdate time will not overwrite existing cache entries.
This is less desirable, but also does not seem harmful, as cache entries are still removed on expiration.
See this PR comment for additional context: https://github.com/mongodb/mongo-c-driver/pull/623#discussion_r432192850
- is related to
-
CDRIVER-3668 Support OCSP in older OpenSSL versions
- Closed