-
Type: Bug
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
None
-
(copied to CRM)
In a network/internet restricted environment, DNS lookups to the TLS certificate's OCSP address may timeout when the OCSP is not stapled. This DNS timeout may require longer than the default connecttimeoutms of 10 seconds (20 seconds is the default DNS lookup timeout for environments tested).
After failing to resolve the OCSP address, the driver then immediately aborts the connection with a failure on topology (isMaster response marked as NULL).
Attached is a trace and debug from a PHP driver connection, but the underlying issues appears to be in the C driver used by the PHP driver.
Workaround: Set the C or PHP URI flag for tlsDisableOCSPEndpointCheck=true to skip the OCSP portion of the TLS connection.
- is related to
-
CDRIVER-3781 Improve debugging output for OCSP soft-failures
- Backlog
-
PHPC-1671 Better user-facing messaging when OCSP endpoints are unreachable
- Closed
- related to
-
CDRIVER-4522 Possible improvements to mitigate negative effects of OCSP endpoint timeouts
- Backlog