Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3788

DNS Lookup Failures to OCSP Exhausts connectTimeoutMS

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: OCSP, tls
    • None

      In a network/internet restricted environment, DNS lookups to the TLS certificate's OCSP address may timeout when the OCSP is not stapled. This DNS timeout may require longer than the default connecttimeoutms of 10 seconds (20 seconds is the default DNS lookup timeout for environments tested).
      After failing to resolve the OCSP address, the driver then immediately aborts the connection with a failure on topology (isMaster response marked as NULL).

      Attached is a trace and debug from a PHP driver connection, but the underlying issues appears to be in the C driver used by the PHP driver.

      Workaround: Set the C or PHP URI flag for tlsDisableOCSPEndpointCheck=true to skip the OCSP portion of the TLS connection.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jack.alder@mongodb.com Jack Alder
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: