-
Type: Improvement
-
Resolution: Works as Designed
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
(copied to CRM)
When the PHP driver is being used in an environment with no internet access (e.g. in a private subnet in a VPC with no NAT gateway that is peered to an Atlas VPC), it appears that the connection to MongoDB will fail without giving any indication that the reason for the failure was the inability to reach any OCSP endpoints. The visible error message just says that the connection to the cluster timed out, which is misleading.
We had a customer encounter this scenario, and we were only able to uncover this as the cause when we enabled debug mode for the driver. Here is the relevant portion of the debug logs that we observed for the customer's environment:
[2020-08-21T20:07:57.920635+00:00] mongoc: DEBUG > Could not send HTTP request: Failed to connect to: ocsp.int-x3.letsencrypt.org
[2020-08-21T20:07:57.920639+00:00] mongoc: TRACE > GOTO: _contact_ocsp_responder():728 retry
[2020-08-21T20:07:57.920649+00:00] mongoc: TRACE > EXIT: _contact_ocsp_responder():756
[2020-08-21T20:07:57.920653+00:00] mongoc: DEBUG > Soft-fail: No OCSP responder could be reached
[2020-08-21T20:07:57.920656+00:00] mongoc: TRACE > GOTO: _mongoc_ocsp_tlsext_status():847 done
[2020-08-21T20:07:57.920663+00:00] mongoc: TRACE > EXIT: _mongoc_ocsp_tlsext_status():957
[2020-08-21T20:07:57.920684+00:00] stream-tls-openssl: TRACE > EXIT: _mongoc_stream_tls_openssl_handshake():583
It would be preferable if the driver gave some indication to the user that the reason for the failure was actually the inability to check certificate revocation status, and potentially point to relevant URI parameters to get around the error, such as:
- tlsDisableCertificateRevocationCheck
- tlsDisableOCSPEndpointCheck
- related to
-
CDRIVER-3788 DNS Lookup Failures to OCSP Exhausts connectTimeoutMS
- Backlog
-
CDRIVER-3781 Improve debugging output for OCSP soft-failures
- Backlog
-
CDRIVER-4522 Possible improvements to mitigate negative effects of OCSP endpoint timeouts
- Backlog