@@ -214,3 +214,87 @@ object to the builder in the ``applyToSslSettings()`` lambda:
214214 })
215215 .build();
216216 MongoClient client = MongoClients.create(settings);
217+
218+ Online Certificate Status Protocol (OCSP)
219+ -----------------------------------------
220+
221+ OCSP is a standard used to check whether X.509 certificates have been
222+ revoked. A certificate authority can add an X.509 certificate to the
223+ Certificate Revocation List (CRL) prior to the expiry time to invalidate
224+ the certificate. When a client sends an X.509 certificate during the TLS
225+ handshake, the CA's revocation server checks the CRL and returns a status
226+ of "good", "revoked", or "unknown".
227+
228+ The driver supports the following variations of OCSP:
229+
230+ - **Client-Driven OCSP**
231+ - **OCSP Stapling**
232+
233+ The following sections describe the differences between them and how to enable
234+ them for your application.
235+
236+ .. note::
237+
238+ The Java driver uses the JVM arguments configured for the application
239+ and cannot be overridden for a specific ``MongoClient`` instance.
240+
241+ Client-Driven OCSP
242+ ~~~~~~~~~~~~~~~~~~
243+
244+ In client-driven OCSP, the client sends the certificate in an OCSP request to
245+ an OCSP responder after receiving the certificate from the server. The OCSP
246+ responder checks the status of the certificate with a certificate
247+ authority (CA) and reports whether it's valid in a response sent to the
248+ client.
249+
250+ To enable client-driven OCSP for your application, set the following JVM
251+ system properties:
252+
253+ .. list-table::
254+ :header-rows: 1
255+ :widths: 35 65
256+
257+ * - Property
258+ - Value
259+
260+ * - ``com.sun.net.ssl.checkRevocation``
261+ - Set this property to ``true`` to enable revocation checking.
262+
263+ * - ``ocsp.enable``
264+ - Set this property to ``true`` to enable client-driven OCSP.
265+
266+ .. warning::
267+
268+ If the OCSP responder is unavailable, the TLS support provided by the
269+ JDK reports a "hard fail". This differs from the "soft fail" behavior of
270+ the MongoDB Shell and some other drivers.
271+
272+ OCSP Stapling
273+ ~~~~~~~~~~~~~
274+
275+ OCSP stapling is a mechanism in which the server must obtain the signed
276+ certificate from the certificate authority (CA) and include it in a
277+ time-stamped OCSP response to the client.
278+
279+ To enable OCSP stapling for your application, set the following JVM system
280+ properties:
281+
282+ .. list-table::
283+ :header-rows: 1
284+ :widths: 50 50
285+
286+ * - Property
287+ - Description
288+
289+ * - ``com.sun.net.ssl.checkRevocation``
290+ - Set this property to ``true`` to enable revocation checking.
291+
292+ * - ``jdk.tls.client.enableStatusRequestExtension``
293+ - | Set this property to ``true`` to enable OCSP stapling.
294+ |
295+ | If unset or set to ``false``, the connection can proceed regardless of the presence or status of the certificate revocation response.
296+
297+ For additional information about OCSP, check out the following resources:
298+
299+ - Java SE 8 Documentation on `how to enable OCSP for an application <https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html>`__
300+ - :rfc:`Official IETF specification for OCSP (RFC 6960) <6960>`
0 commit comments