When the PHP driver is being used in an environment with no internet access (e.g. in a private subnet in a VPC with no NAT gateway that is peered to an Atlas VPC), it appears that the connection to MongoDB will fail without giving any indication that the reason for the failure was the inability to reach any OCSP endpoints. The visible error message just says that the connection to the cluster timed out, which is misleading.

We had a customer encounter this scenario, and we were only able to uncover this as the cause when we enabled debug mode for the driver. Here is the relevant portion of the debug logs that we observed for the customer's environment:

[2020-08-21T20:07:57.920635+00:00]     mongoc: DEBUG   > Could not send HTTP request: Failed to connect to: ocsp.int-x3.letsencrypt.org
[2020-08-21T20:07:57.920639+00:00]     mongoc: TRACE   >  GOTO: _contact_ocsp_responder():728 retry
[2020-08-21T20:07:57.920649+00:00]     mongoc: TRACE   >  EXIT: _contact_ocsp_responder():756
[2020-08-21T20:07:57.920653+00:00]     mongoc: DEBUG   > Soft-fail: No OCSP responder could be reached
[2020-08-21T20:07:57.920656+00:00]     mongoc: TRACE   >  GOTO: _mongoc_ocsp_tlsext_status():847 done
[2020-08-21T20:07:57.920663+00:00]     mongoc: TRACE   >  EXIT: _mongoc_ocsp_tlsext_status():957
[2020-08-21T20:07:57.920684+00:00] stream-tls-openssl: TRACE   >  EXIT: _mongoc_stream_tls_openssl_handshake():583

It would be preferable if the driver gave some indication to the user that the reason for the failure was actually the inability to check certificate revocation status, and potentially point to relevant URI parameters to get around the error, such as:

• tlsDisableCertificateRevocationCheck
• tlsDisableOCSPEndpointCheck