Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3734

OCSP requests with OpenSSL do not include Host header

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.17.0-rc0, 1.17.0
    • Affects Version/s: None
    • Component/s: None
    • None

      Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:

      [2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Could not perform an OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error
[2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached

      These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience.

      These logs have been showing for a while. They go back as far as CDRIVER-3668:
      https://evergreen.mongodb.com/task/mongo_c_driver_gcc48rhel_test_latest_server_noauth_sasl_openssl_cse_733322e98fdad8d4cf5fa2ce2f256d8e014ce51e_20_06_05_17_49_51

      I can reproduce this locally by running the client side encryption tests when building against OpenSSL.

      > ./cmake-build/src/libmongoc/test-libmongoc --no-fork -d -l /client_side_encryption/distinct
...
Begin /client_side_encryption/distinct, seed 1569892307
  - distinct with deterministic encryption
2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Could not send OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:parse_http_line1:server response error
2020/07/06 10:39:15.0057: [55294]:    DEBUG:       mongoc: Soft-fail: No OCSP responder could be reached
  - Distinct fails when filtering on a random encrypted field
    { "status": "pass", "test_file": "/client_side_encryption/distinct", "seed": "1569892307", "start": 608.732156, "end": 609.732042, "elapsed": 0.999886  }

      I suspected CDRIVER-3668 caused a regression, but checking out prior commits shows the same behavior.

      Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header.

      Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment.
       
       

        1. kms-ocsp-cli.zip
          8 kB

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: