OCSP deprecation plan steps

deps/curl/lib/vtls/sf_ocsp.c

@@ -100,7 +100,7 @@ typedef pthread_mutex_t SF_MUTEX_HANDLE;
 #define CA_OCSP_RESPONDER_MAX_RETRY_FO 1
 
 // Max number of connection retry attempts for OCSP Responder in Fail Close Mode
-#define CA_OCSP_RESPONDER_MAX_RETRY_FC 3
+#define CA_OCSP_RESPONDER_MAX_RETRY_FC 2
 
 // Max number of connection retry attempts for OCSP Cache Server
 #define OCSP_CACHE_SERVER_MAX_RETRY 1
@@ -1667,7 +1667,6 @@ OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer,
     char *ocsp_url = sk_OPENSSL_STRING_value(ocsp_list, i);
     if (ocsp_url == NULL)
     {
-      failf(data, "OCSP Validation URL is not present");
       /*
        * Try the next OCSP Server in ocsp_list, if present.
        */
@@ -1698,8 +1697,9 @@ OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer,
     break; /* good if any OCSP server works */
   }
 
-  if(ocsp_url_missing || ocsp_url_invalid)
+  if((ocsp_url_missing || ocsp_url_invalid) && (ocsp_fail_open == DISABLED))
   {
+    failf(data, "OCSP Validation URL is not present or invalid.");
     sf_otd_set_event_sub_type(OCSP_URL_MISSING_OR_INVALID, ocsp_log_data);
   }
 
@@ -1718,20 +1718,7 @@ OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer,
 
 static void printOCSPFailOpenWarning(SF_OTD *ocsp_log, struct Curl_easy *data, bool oob_enable)
 {
-  char *ocsp_log_data = NULL;
-  ocsp_log_data = generateOCSPTelemetryData(ocsp_log);
-  infof(data, "WARNING!!! Using fail-open to connect. Driver is connecting to an "
-              "HTTPS endpoint without OCSP based Certificate Revocation checking "
-              "as it could not obtain a valid OCSP Response to use from the CA OCSP "
-              "responder. Details:%s",ocsp_log_data);
-  if (ocsp_log_data)
-  {
-    if (oob_enable)
-    {
-      sendOOBevent(ocsp_log_data);
-    }
-    if(ocsp_log_data) sf_curl_cJSON_free(ocsp_log_data);
-  }
+  infof(data, "OCSP responder didn't respond correctly. Assuming certificate is not revoked.");
 }
 
 static char * generateOCSPTelemetryData(SF_OTD *ocsp_log)

lib/client.c

@@ -708,7 +708,7 @@ SF_CONNECT *STDCALL snowflake_init() {
         sf->passcode = NULL;
         sf->passcode_in_password = SF_BOOLEAN_FALSE;
         sf->insecure_mode = SF_BOOLEAN_FALSE;
-        sf->ocsp_fail_open = SF_BOOLEAN_FALSE;
+        sf->ocsp_fail_open = SF_BOOLEAN_TRUE;
         sf->autocommit = SF_BOOLEAN_TRUE;
         sf->qcc_disable = SF_BOOLEAN_FALSE;
         sf->include_retry_reason = SF_BOOLEAN_TRUE;
@@ -1129,7 +1129,7 @@ SF_STATUS STDCALL snowflake_set_attribute(
             sf->insecure_mode = value ? *((sf_bool *) value) : SF_BOOLEAN_FALSE;
             break;
         case SF_CON_OCSP_FAIL_OPEN:
-          sf->ocsp_fail_open = value ? *((sf_bool*)value) : SF_BOOLEAN_FALSE;
+          sf->ocsp_fail_open = value ? *((sf_bool*)value) : SF_BOOLEAN_TRUE;
           break;
         case SF_CON_LOGIN_TIMEOUT:
             sf->login_timeout = value ? *((int64 *) value) : SF_LOGIN_TIMEOUT;

tests/test_ocsp_fail_open.c

@@ -4,7 +4,7 @@
 
 #include "utils/test_setup.h"
 
-#define FAIL_OPEN_DEFAULT SF_BOOLEAN_FALSE
+#define FAIL_OPEN_DEFAULT SF_BOOLEAN_TRUE
 
 void setCacheFile(char *cache_file)
 {