Specify behavior for validating OCSP responses (#724)

Divjot Arora · web-flow · commit ce5512d007b4 · 2020-02-19T15:20:03.000-05:00
diff --git a/source/ocsp-support/ocsp-support.rst b/source/ocsp-support/ocsp-support.rst
@@ -3,7 +3,7 @@ OCSP Support
 ============
 
 :Spec Title: OCSP Support
-:Spec Version: 1.1.0
+:Spec Version: 1.1.1
 :Author: Vincent Kam
 :Lead: Jeremy Mikola
 :Advisory Group: Clyde Bazile *(POC author)*, Esha Bhargava *(Program Manager)*, Matt Broadstone, Bernie Hackett *(POC author)*, Shreyas Kaylan *(Server Project Lead)*, Jeremy Mikola *(Spec Lead)*
@@ -78,8 +78,9 @@ invalid, the driver SHOULD end the connection.
     stapled OCSP response, a driver SHOULD end the connection.
 
 2.  If a driver’s TLS library supports Stapled OCSP and the server
-    staples an OCSP response that does not cover the certificate it
-    presents, a driver SHOULD end the connection.
+    staples an OCSP response that does not cover the certificate it presents or
+    is invalid per `RFC 6960 Section 3.2 <https://tools.ietf.org/html/rfc6960#section-3.2>`_,
+    a driver SHOULD end the connection.
 
 3.  If a driver’s TLS library supports Stapled OCSP and the server
     staples an OCSP response that does cover the certificate it
@@ -102,9 +103,13 @@ invalid, the driver SHOULD end the connection.
     attempt to validate the status of the unvalidated certificates
     using the cached CRLs.
 
-7.  If the server’s certificate remains unvalidated and that certificate
-    has an OCSP endpoint, the driver SHOULD reach out to the OCSP
-    endpoint specified and attempt to validate that certificate.
+7.  If the server's certificate remains unvalidated and that certificate
+    has a list of OCSP responder endpoints, the driver SHOULD send HTTP
+    requests to the responders in parallel. The first valid response
+    that concretely marks the certificate status as good or revoked
+    should be used. A five-second timeout SHOULD be used for the requests.
+    The status for a response should only be checked if the response is
+    valid per `RFC 6960 Section 3.2 <https://tools.ietf.org/html/rfc6960#section-3.2>`_
 
 8.  If any unvalidated intermediate certificates remain and those
     certificates have OCSP endpoints, for each certificate, the
@@ -117,8 +122,8 @@ invalid, the driver SHOULD end the connection.
     the other certificates using those CRLs.\*
 
 10. Finally, the driver SHOULD continue the connection, even if the
-    status of all the unvalidated intermediate certificates has not
-    been confirmed yet. This means that the driver SHOULD default to
+    status of all the unvalidated certificates has not been
+    confirmed yet. This means that the driver SHOULD default to
     “soft fail” behavior, connecting as long as there are no
     explicitly invalid certificates—i.e. the driver will connect
     even if the status of all the unvalidated certificates has not
@@ -643,13 +648,14 @@ of checking this are:
 
 Changelog
 ==========
+**2020-2-19**: Clarify behavior for reaching out to OCSP responders.
+
 **2020-2-10**: 1.1.0: Add cache requirement.
 
 **2020-1-31**: 1.0.2: Add SNI requirement and clarify design rationale
 regarding minimizing round trips.
 
-**2020-1-28**: 1.0.1: Clarify behavior regarding nonces and tolerance
-periods.
+**2020-1-28**: Clarify behavior regarding nonces and tolerance periods.
 
 **2020-1-16**: 1.0.0: Initial commit.
 
diff --git a/source/ocsp-support/tests/README.rst b/source/ocsp-support/tests/README.rst
@@ -49,7 +49,7 @@ malicious server cases.
 
 +----------------------------------------+-----------------------------------------+-------------------------------------------+-------------------------------------------------+---------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------+--------------------------------------------------------------------+
 | **URI options**                        | **Test 1\:**                            | **Test 2\:**                              | **Test 3\:**                                    | **Test 4\:**                                      | **Soft Fail Test\:**                                | **Malicious Server Test 1\:**                                         | **Malicious Server Test 2\: No OCSP Responder + server w/ Must-**  |
-|                                        | **Valid cert + server that staples**    | **Invalid cert + server that staples**    | **Valid cert + server that does not staple**    | **Invalid cert + server that does not staple**    |                                                     | **Invalid cert + server w/ Must- Staple cert that does not staple**   | **Staple cert that does not staple**                               |
+|                                        | **Valid cert + server that staples**    | **Invalid cert + server that staples**    | **Valid cert + server that does not staple**    | **Invalid cert + server that does not staple**    | **No OCSP Responder + server that does not staple** | **Invalid cert + server w/ Must- Staple cert that does not staple**   | **Staple cert that does not staple**                               |
 +========================================+=========================================+===========================================+=================================================+===================================================+=====================================================+=======================================================================+====================================================================+
 | ``tls=true``                           | OK                                      | FAIL                                      | OK                                              | FAIL                                              | OK\*                                                | FAIL\*                                                                | FAIL\*                                                             |
 +----------------------------------------+-----------------------------------------+-------------------------------------------+-------------------------------------------------+---------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------+--------------------------------------------------------------------+
@@ -67,8 +67,9 @@ to determine which versions of the server can be used for each column.
 Note: From the perspective of a driver that does not support OCSP
 stapling, the following sets of tests should be identical: {Test 1, Test
 3}, {Test 2, Test 4, Malicious Server Test 1}, and {Soft Fail Test,
-Malicious Server Test 2}. However, it does no harm to test these extra
-cases and may help reveal unexpected behavior.
+Malicious Server Test 2}. For drivers with full control over their OCSP behavior, both malicious
+server tests are identical as well. However, it does no harm to test these
+extra cases and may help reveal unexpected behavior.
 
 \*: Drivers that cannot pass these tests due to limitations in their TLS
 library’s implementation of OCSP will need to document these failures as
@@ -91,8 +92,9 @@ certificate is invalid.
 The mongo-orchestration configurations needed for testing can be found
 at ``.evergreen/orchestration/configs/servers/``. Tests that specify that a
 server should staple MUST use ``basic-tls-ocsp-mustStaple.json``. Tests that
-specify that a server should not staple MUST use ``basic-tls-ocsp.json``.
-The malicious server tests MUST use ``basic-tls-ocsp-mustStaple.json``.
+specify that a server should not staple MUST use
+``basic-tls-ocsp-disableStapling.json``. The malicious server tests MUST use
+``basic-tls-ocsp-mustStaple-disableStapling.json``.
 
 Test Procedure
 ==============
@@ -114,7 +116,7 @@ for instructions on how to clear OS-level OCSP caches.
 
 Ensure that a mongod is running with the correct certificate chain (see
 `Mock OCSP Responder Testing
-Suite <../ocsp-support.rst#mock-ocsp-responder-testing-suite>`__
+Suite `<#mock-ocsp-responder-testing-suite>`__
 for configuration details) and that the mock OCSP responder is configured
 to report the expected revocation status for that certificate. Again, each
 test column MUST BE its own Evergreen task in order to minimize the impact
