Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-1671

Better user-facing messaging when OCSP endpoints are unreachable

    • Type: Icon: Improvement Improvement
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None

      When the PHP driver is being used in an environment with no internet access (e.g. in a private subnet in a VPC with no NAT gateway that is peered to an Atlas VPC), it appears that the connection to MongoDB will fail without giving any indication that the reason for the failure was the inability to reach any OCSP endpoints. The visible error message just says that the connection to the cluster timed out, which is misleading.

      We had a customer encounter this scenario, and we were only able to uncover this as the cause when we enabled debug mode for the driver. Here is the relevant portion of the debug logs that we observed for the customer's environment:

      [2020-08-21T20:07:57.920635+00:00]     mongoc: DEBUG   > Could not send HTTP request: Failed to connect to: ocsp.int-x3.letsencrypt.org
      [2020-08-21T20:07:57.920639+00:00]     mongoc: TRACE   >  GOTO: _contact_ocsp_responder():728 retry
      [2020-08-21T20:07:57.920649+00:00]     mongoc: TRACE   >  EXIT: _contact_ocsp_responder():756
      [2020-08-21T20:07:57.920653+00:00]     mongoc: DEBUG   > Soft-fail: No OCSP responder could be reached
      [2020-08-21T20:07:57.920656+00:00]     mongoc: TRACE   >  GOTO: _mongoc_ocsp_tlsext_status():847 done
      [2020-08-21T20:07:57.920663+00:00]     mongoc: TRACE   >  EXIT: _mongoc_ocsp_tlsext_status():957
      [2020-08-21T20:07:57.920684+00:00] stream-tls-openssl: TRACE   >  EXIT: _mongoc_stream_tls_openssl_handshake():583
      

      It would be preferable if the driver gave some indication to the user that the reason for the failure was actually the inability to check certificate revocation status, and potentially point to relevant URI parameters to get around the error, such as:

      • tlsDisableCertificateRevocationCheck
      • tlsDisableOCSPEndpointCheck

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            chandler.wyatt@mongodb.com Chandler Wyatt
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: