CDRIVER-3745 add flag to disable rev check on Win

kevinAlbs · kevinAlbs · commit 8c5ae021ab58 · 2020-07-13T20:43:12.000-04:00
Add support for tlsDisableCertificateRevocationCheck with schannel.
diff --git a/src/libmongoc/doc/configuring_tls.rst b/src/libmongoc/doc/configuring_tls.rst
@@ -70,7 +70,7 @@ By default, libmongoc will attempt to find a supported TLS library and enable TL
 
 - ``AUTO`` the default behavior. Link to the system's native TLS library, or attempt to find OpenSSL.
 - ``DARWIN`` link to Secure Transport, the native TLS library on macOS.
-- ``WINDOWS`` link to Secure Channel, the native TLS on Windows.
+- ``WINDOWS`` link to Secure Channel, the native TLS library on Windows.
 - ``OPENSSL`` link to OpenSSL (libssl). An optional install path may be specified with ``OPENSSL_ROOT``.
 - ``LIBRESSL`` link to LibreSSL's libtls. (LibreSSL's compatible libssl may be linked to by setting ``OPENSSL``).
 - ``OFF`` disable TLS support.
@@ -119,11 +119,13 @@ When compiled against the Windows native libraries, the ``ca_dir`` option of a :
 
 Encrypted PEM files (e.g., setting ``tlsCertificateKeyPassword``) are also not supported, and will result in error when attempting to load them.
 
-When ``tlsCAFile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate or the ``Current user certificate store`` if the ``System Local Machine Root`` certificate store is unavailable.
+When ``tlsCAFile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate.
 
 When ``crl_file`` is set with :symbol:`mongoc_ssl_opt_t`, the driver will import the revocation list to the ``System Local Machine Root`` certificate store.
 
-Setting ``tlsDisableOCSPEndpointCheck`` and ``tlsDisableCertificateRevocationCheck`` has no effect.
+Setting ``tlsDisableCertificateRevocationCheck`` disables certificate revocation checking.
+
+Setting ``tlsDisableOCSPEndpointCheck`` has no effect.
 
 The Online Certificate Status Protocol (OCSP) is partially supported (see `RFC 6960 <https://tools.ietf.org/html/rfc6960>`_).
 
diff --git a/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c b/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c
@@ -979,13 +979,15 @@ mongoc_stream_tls_secure_channel_new (mongoc_stream_t *base_stream,
    schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK;
    /* An offline OCSP responder / CRL distribution list is a soft failure. */
    schannel_cred.dwFlags |= SCH_CRED_IGNORE_REVOCATION_OFFLINE;
-
    if (opt->weak_cert_validation) {
       schannel_cred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION;
       TRACE ("%s", "disabled server certificate checks");
    } else {
-      schannel_cred.dwFlags |=
-         SCH_CRED_AUTO_CRED_VALIDATION | SCH_CRED_REVOCATION_CHECK_CHAIN;
+      schannel_cred.dwFlags |= SCH_CRED_AUTO_CRED_VALIDATION;
+      if (!_mongoc_ssl_opts_disable_certificate_revocation_check (opt)) {
+         schannel_cred.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN;
+         TRACE ("%s", "enabled server certificate revocation checks");
+      }
       TRACE ("%s", "enabled server certificate checks");
    }
 
@@ -1063,11 +1065,6 @@ mongoc_stream_tls_secure_channel_new (mongoc_stream_t *base_stream,
                     "built against Secure Channel");
    }
 
-   if (_mongoc_ssl_opts_disable_certificate_revocation_check (opt)) {
-      MONGOC_ERROR ("Setting tlsDisableCertificateRevocationCheck has no "
-                    "effect when built Secure Channel");
-   }
-
    mongoc_counter_streams_active_inc ();
    RETURN ((mongoc_stream_t *) tls);
 }
