diff --git a/deps/curl/lib/vtls/sf_ocsp.c b/deps/curl/lib/vtls/sf_ocsp.c index 2df7a8d0b4..f559ec69c6 100644 --- a/deps/curl/lib/vtls/sf_ocsp.c +++ b/deps/curl/lib/vtls/sf_ocsp.c @@ -100,7 +100,7 @@ typedef pthread_mutex_t SF_MUTEX_HANDLE; #define CA_OCSP_RESPONDER_MAX_RETRY_FO 1 // Max number of connection retry attempts for OCSP Responder in Fail Close Mode -#define CA_OCSP_RESPONDER_MAX_RETRY_FC 3 +#define CA_OCSP_RESPONDER_MAX_RETRY_FC 2 // Max number of connection retry attempts for OCSP Cache Server #define OCSP_CACHE_SERVER_MAX_RETRY 1 @@ -1667,7 +1667,6 @@ OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer, char *ocsp_url = sk_OPENSSL_STRING_value(ocsp_list, i); if (ocsp_url == NULL) { - failf(data, "OCSP Validation URL is not present"); /* * Try the next OCSP Server in ocsp_list, if present. */ @@ -1698,8 +1697,9 @@ OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer, break; /* good if any OCSP server works */ } - if(ocsp_url_missing || ocsp_url_invalid) + if((ocsp_url_missing || ocsp_url_invalid) && (ocsp_fail_open == DISABLED)) { + failf(data, "OCSP Validation URL is not present or invalid."); sf_otd_set_event_sub_type(OCSP_URL_MISSING_OR_INVALID, ocsp_log_data); } @@ -1720,18 +1720,8 @@ static void printOCSPFailOpenWarning(SF_OTD *ocsp_log, struct Curl_easy *data, b { char *ocsp_log_data = NULL; ocsp_log_data = generateOCSPTelemetryData(ocsp_log); - infof(data, "WARNING!!! Using fail-open to connect. Driver is connecting to an " - "HTTPS endpoint without OCSP based Certificate Revocation checking " - "as it could not obtain a valid OCSP Response to use from the CA OCSP " - "responder. Details:%s",ocsp_log_data); - if (ocsp_log_data) - { - if (oob_enable) - { - sendOOBevent(ocsp_log_data); - } - if(ocsp_log_data) sf_curl_cJSON_free(ocsp_log_data); - } + infof(data, "OCSP responder didn't respond correctly. Assuming certificate is not revoked." + " Details:%s", ocsp_log_data); } static char * generateOCSPTelemetryData(SF_OTD *ocsp_log) diff --git a/lib/client.c b/lib/client.c index 99aef499a9..0cadc7763d 100644 --- a/lib/client.c +++ b/lib/client.c @@ -708,7 +708,7 @@ SF_CONNECT *STDCALL snowflake_init() { sf->passcode = NULL; sf->passcode_in_password = SF_BOOLEAN_FALSE; sf->insecure_mode = SF_BOOLEAN_FALSE; - sf->ocsp_fail_open = SF_BOOLEAN_FALSE; + sf->ocsp_fail_open = SF_BOOLEAN_TRUE; sf->autocommit = SF_BOOLEAN_TRUE; sf->qcc_disable = SF_BOOLEAN_FALSE; sf->include_retry_reason = SF_BOOLEAN_TRUE; @@ -1129,7 +1129,7 @@ SF_STATUS STDCALL snowflake_set_attribute( sf->insecure_mode = value ? *((sf_bool *) value) : SF_BOOLEAN_FALSE; break; case SF_CON_OCSP_FAIL_OPEN: - sf->ocsp_fail_open = value ? *((sf_bool*)value) : SF_BOOLEAN_FALSE; + sf->ocsp_fail_open = value ? *((sf_bool*)value) : SF_BOOLEAN_TRUE; break; case SF_CON_LOGIN_TIMEOUT: sf->login_timeout = value ? *((int64 *) value) : SF_LOGIN_TIMEOUT; diff --git a/scripts/build_curl.bat b/scripts/build_curl.bat index b770c6ffaa..1004b64d71 100644 --- a/scripts/build_curl.bat +++ b/scripts/build_curl.bat @@ -11,7 +11,7 @@ @echo off set CURL_SRC_VERSION=8.10.1 -set CURL_BUILD_VERSION=2 +set CURL_BUILD_VERSION=4 set CURL_VERSION=%CURL_SRC_VERSION%.%CURL_BUILD_VERSION% call %* goto :EOF diff --git a/scripts/build_curl.sh b/scripts/build_curl.sh index 8b2462dd82..63df1259c8 100755 --- a/scripts/build_curl.sh +++ b/scripts/build_curl.sh @@ -13,7 +13,7 @@ function usage() { set -o pipefail CURL_SRC_VERSION=8.10.1 -CURL_BUILD_VERSION=3 +CURL_BUILD_VERSION=4 CURL_VERSION=${CURL_SRC_VERSION}.${CURL_BUILD_VERSION} DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/tests/test_ocsp_fail_open.c b/tests/test_ocsp_fail_open.c index 58bf0ddc4b..451e493a67 100644 --- a/tests/test_ocsp_fail_open.c +++ b/tests/test_ocsp_fail_open.c @@ -4,7 +4,7 @@ #include "utils/test_setup.h" -#define FAIL_OPEN_DEFAULT SF_BOOLEAN_FALSE +#define FAIL_OPEN_DEFAULT SF_BOOLEAN_TRUE void setCacheFile(char *cache_file) {