CDRIVER-3580 soft-fail with schannel

kevinAlbs · kevinAlbs · commit 7881888b5784 · 2020-07-11T12:13:08.000-04:00
With schannel, if certificate validation occurs due to:
- certificates not having revocation info
- OCSP responder / CRL distribution being offline
Consider this a soft-failure.
diff --git a/src/libmongoc/doc/configuring_tls.rst b/src/libmongoc/doc/configuring_tls.rst
@@ -123,9 +123,7 @@ When ``tlsCAFile`` is set, the driver will only allow server certificates issued
 
 When ``crl_file`` is set with :symbol:`mongoc_ssl_opt_t`, the driver will import the revocation list to the ``System Local Machine Root`` certificate store.
 
-Setting ``tlsDisableOCSPEndpointCheck`` has no effect.
-
-Setting ``tlsAllowInvalidHostnames`` additionally consider certificates with no revocation mechanisms specified (CRL / OCSP) a non-error.
+Setting ``tlsDisableOCSPEndpointCheck`` and ``tlsDisableCertificateRevocationCheck`` has no effect.
 
 The Online Certificate Status Protocol (OCSP) is partially supported (see `RFC 6960 <https://tools.ietf.org/html/rfc6960>`_).
 
diff --git a/src/libmongoc/src/mongoc/mongoc-secure-channel.c b/src/libmongoc/src/mongoc/mongoc-secure-channel.c
@@ -820,9 +820,7 @@ mongoc_secure_channel_handshake_step_2 (mongoc_stream_tls_t *tls,
             break;
          case CRYPT_E_NO_REVOCATION_CHECK:
             MONGOC_ERROR ("SSL Certification verification failed: certificate "
-                          "does not include revocation check. Set "
-                          "tlsDisableCertificateRevocationCheck to disable "
-                          "revocation checking");
+                          "does not include revocation check.");
             break;
 
          case SEC_E_INSUFFICIENT_MEMORY:
diff --git a/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c b/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c
@@ -974,24 +974,23 @@ mongoc_stream_tls_secure_channel_new (mongoc_stream_t *base_stream,
    schannel_cred.dwFlags = SCH_USE_STRONG_CRYPTO;
 #endif
 
+   /* By default, enable soft failing.
+    * A certificate with no revocation check is a soft failure. */
+   schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK;
+   /* An offline OCSP responder / CRL distribution list is a soft failure. */
+   schannel_cred.dwFlags |= SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+
    if (opt->weak_cert_validation) {
-      schannel_cred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION |
-                               SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
-                               SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+      schannel_cred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION;
       TRACE ("%s", "disabled server certificate checks");
-   } else if (_mongoc_ssl_opts_disable_certificate_revocation_check (opt)) {
-      schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
-                               SCH_CRED_IGNORE_REVOCATION_OFFLINE;
-      TRACE ("%s", "disabled server certificate revocation checks");
    } else {
       schannel_cred.dwFlags |=
          SCH_CRED_AUTO_CRED_VALIDATION | SCH_CRED_REVOCATION_CHECK_CHAIN;
       TRACE ("%s", "enabled server certificate checks");
    }
 
    if (opt->allow_invalid_hostname) {
-      schannel_cred.dwFlags |=
-         SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_IGNORE_NO_REVOCATION_CHECK;
+      schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
    }
 
    if (opt->ca_file) {
@@ -1064,6 +1063,11 @@ mongoc_stream_tls_secure_channel_new (mongoc_stream_t *base_stream,
                     "built against Secure Channel");
    }
 
+   if (_mongoc_ssl_opts_disable_certificate_revocation_check (opt)) {
+      MONGOC_ERROR ("Setting tlsDisableCertificateRevocationCheck has no "
+                    "effect when built Secure Channel");
+   }
+
    mongoc_counter_streams_active_inc ();
    RETURN ((mongoc_stream_t *) tls);
 }
