Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3707

Polyfill ASN1_TIME comparison for OpenSSL pre 1.1.1

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: OCSP
    • None

      The OCSP cache should replace existing entries with new responses if the new responses have a nextUpdate time greater than the cached response. This is to match the OCSP spec's recommended behavior:

      If a driver would accept a stapled OCSP response and that response has a later nextUpdate than the response already in the cache, drivers SHOULD replace the older entry in the cache with the fresher response.

      To do the time comparison, ASN1_TIME_compare is used, which was added in OpenSSL 1.1.1.

      To support OCSP in older version of OpenSSL, the cache bypasses this comparison. This means in OpenSSL pre-1.1.1 newer responses with a later nextUpdate time will not overwrite existing cache entries.

      This is less desirable, but also does not seem harmful, as cache entries are still removed on expiration.

      See this PR comment for additional context: https://github.com/mongodb/mongo-c-driver/pull/623#discussion_r432192850

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: