mongo 2.13.0 → 2.15.0.alpha

data/lib/mongo/server/pending_connection.rb

@@ -63,6 +63,11 @@ module Mongo
         end
 
         result = handshake!(speculative_auth_doc: speculative_auth_doc)
+
+        if description.unknown?
+          raise Error::InternalDriverError, "Connection description cannot be unknown after successful handshake: #{description.inspect}"
+        end
+
         if speculative_auth_doc && (speculative_auth_result = result['speculativeAuthenticate'])
           unless description.features.scram_sha_1_enabled?
             raise Error::InvalidServerAuthResponse, "Speculative auth succeeded on a pre-3.0 server"
@@ -80,11 +85,15 @@ module Mongo
               speculative_auth_result: speculative_auth_result,
             )
           else
-            raise NotImplementedError, "Speculative auth unexpectedly succeeded for mechanism #{speculative_auth_user.mechanism.inspect}"
+            raise Error::InternalDriverError, "Speculative auth unexpectedly succeeded for mechanism #{speculative_auth_user.mechanism.inspect}"
           end
         elsif !description.arbiter?
           authenticate!
         end
+
+        if description.unknown?
+          raise Error::InternalDriverError, "Connection description cannot be unknown after successful authentication: #{description.inspect}"
+        end
       end
 
       private
@@ -96,7 +105,7 @@ module Mongo
       #   this particular connection.
       def handshake!(speculative_auth_doc: nil)
         unless socket
-          raise Error::HandshakeError, "Cannot handshake because there is no usable socket (for #{address})"
+          raise Error::InternalDriverError, "Cannot handshake because there is no usable socket (for #{address})"
         end
 
         ismaster_doc = app_metadata.validated_document
@@ -104,21 +113,30 @@ module Mongo
           ismaster_doc = ismaster_doc.merge(speculativeAuthenticate: speculative_auth_doc)
         end
 
+        if server_api = options[:server_api]
+          ismaster_doc = ismaster_doc.merge(
+            Utils.transform_server_api(server_api)
+          )
+        end
+
         ismaster_command = Protocol::Query.new(Database::ADMIN, Database::COMMAND,
           ismaster_doc, :limit => -1)
 
-        response = nil
+        doc = nil
         @server.handle_handshake_failure! do
           begin
             response = @server.round_trip_time_averager.measure do
               add_server_diagnostics do
                 socket.write(ismaster_command.serialize.to_s)
-                Protocol::Message.deserialize(socket, Protocol::Message::MAX_MESSAGE_SIZE).documents.first
+                Protocol::Message.deserialize(socket, Protocol::Message::MAX_MESSAGE_SIZE)
               end
             end
+            result = Operation::Result.new([response])
+            result.validate!
+            doc = result.documents.first
           rescue => exc
             msg = "Failed to handshake with #{address}"
-            Utils.warn_monitor_exception(msg, exc,
+            Utils.warn_bg_exception(msg, exc,
               logger: options[:logger],
               log_prefix: options[:log_prefix],
               bg_error_backtrace: options[:bg_error_backtrace],
@@ -127,9 +145,9 @@ module Mongo
           end
         end
 
-        post_handshake(response, @server.round_trip_time_averager.average_round_trip_time)
+        post_handshake(doc, @server.round_trip_time_averager.average_round_trip_time)
 
-        response
+        doc
       end
 
       # @param [ String | nil ] speculative_auth_client_nonce The client
@@ -158,7 +176,7 @@ module Mongo
               auth.login
             rescue => exc
               msg = "Failed to authenticate to #{address}"
-              Utils.warn_monitor_exception(msg, exc,
+              Utils.warn_bg_exception(msg, exc,
                 logger: options[:logger],
                 log_prefix: options[:log_prefix],
                 bg_error_backtrace: options[:bg_error_backtrace],

data/lib/mongo/server/push_monitor.rb

@@ -33,6 +33,9 @@ module Mongo
         if topology_version.nil?
           raise ArgumentError, 'Topology version must be provided but it was nil'
         end
+        unless options[:app_metadata]
+          raise ArgumentError, 'App metadata is required'
+        end
         @monitor = monitor
         @topology_version = topology_version
         @monitoring = monitoring
@@ -101,7 +104,7 @@ module Mongo
         end
       rescue Mongo::Error => exc
         msg = "Error running awaited ismaster on #{server.address}"
-        Utils.warn_monitor_exception(msg, exc,
+        Utils.warn_bg_exception(msg, exc,
           logger: options[:logger],
           log_prefix: options[:log_prefix],
           bg_error_backtrace: options[:bg_error_backtrace],
@@ -139,7 +142,9 @@ module Mongo
           raise
         end
         @server_pushing = resp_msg.flags.include?(:more_to_come)
-        result = resp_msg.documents.first
+        result = Operation::Result.new(resp_msg)
+        result.validate!
+        result.documents.first
       end
 
       def write_ismaster
@@ -147,6 +152,11 @@ module Mongo
           topologyVersion: topology_version.to_doc,
           maxAwaitTimeMS: monitor.heartbeat_interval * 1000,
         )
+        if server_api = options[:server_api]
+          payload.update(
+            Utils.transform_server_api(server_api)
+          )
+        end
 
         req_msg = Protocol::Msg.new([:exhaust_allowed], {}, payload)
         @lock.synchronize { @connection }.write_bytes(req_msg.serialize.to_s)

data/lib/mongo/server_selector/base.rb

@@ -265,7 +265,11 @@ module Mongo
           end
         end
 
-        msg = "No #{name} server is available in cluster: #{cluster.summary} " +
+        msg = "No #{name} server"
+        if is_a?(ServerSelector::Secondary) && !tag_sets.empty?
+          msg += " with tag sets: #{tag_sets}"
+        end
+        msg += " is available in cluster: #{cluster.summary} " +
                 "with timeout=#{server_selection_timeout}, " +
                 "LT=#{local_threshold_with_cluster(cluster)}"
         msg += server_selection_diagnostic_message(cluster)

data/lib/mongo/session.rb

@@ -379,6 +379,7 @@ module Mongo
           rv = yield self
         rescue Exception => e
           if within_states?(STARTING_TRANSACTION_STATE, TRANSACTION_IN_PROGRESS_STATE)
+            log_warn("Aborting transaction due to #{e.class}: #{e}")
             abort_transaction
             transaction_in_progress = false
           end
@@ -443,7 +444,7 @@ module Mongo
       true
     ensure
       if transaction_in_progress
-        log_warn('with_transaction callback altered with_transaction loop, aborting transaction')
+        log_warn('with_transaction callback broke out of with_transaction loop, aborting transaction')
         begin
           abort_transaction
         rescue Error::OperationFailure, Error::InvalidTransactionOperation
@@ -534,6 +535,7 @@ module Mongo
     #
     # @since 2.6.0
     def commit_transaction(options=nil)
+      QueryCache.clear
       check_if_ended!
       check_if_no_transaction!
 
@@ -580,7 +582,7 @@ module Mongo
               txn_num: txn_num,
               write_concern: write_concern,
             }
-            Operation::Command.new(spec).execute(server, client: @client)
+            Operation::Command.new(spec).execute(server, context: Operation::Context.new(client: @client, session: self))
           end
         end
       ensure
@@ -602,6 +604,8 @@ module Mongo
     #
     # @since 2.6.0
     def abort_transaction
+      QueryCache.clear
+
       check_if_ended!
       check_if_no_transaction!
 
@@ -625,7 +629,7 @@ module Mongo
               db_name: 'admin',
               session: self,
               txn_num: txn_num
-            ).execute(server, client: @client)
+            ).execute(server, context: Operation::Context.new(client: @client, session: self))
           end
         end
 

data/lib/mongo/session/session_pool.rb

@@ -119,8 +119,10 @@ module Mongo
             },
             db_name: Database::ADMIN,
           )
-          # end_sessions does not take a client as an argument
-          op.execute(server, client: nil)
+          context = Operation::Context.new(options: {
+            server_api: server.options[:server_api],
+          })
+          op.execute(server, context: context)
         end
       rescue Mongo::Error, Error::AuthError
       end

data/lib/mongo/socket.rb

@@ -15,6 +15,8 @@
 require 'mongo/socket/ssl'
 require 'mongo/socket/tcp'
 require 'mongo/socket/unix'
+require 'mongo/socket/ocsp_verifier'
+require 'mongo/socket/ocsp_cache'
 
 module Mongo
 
@@ -25,10 +27,11 @@ module Mongo
   class Socket
     include ::Socket::Constants
 
-    # Error message for SSL related exceptions.
+    # Error message for TLS related exceptions.
     #
     # @since 2.0.0
-    SSL_ERROR = 'MongoDB may not be configured with SSL support'.freeze
+    # @deprecated
+    SSL_ERROR = 'MongoDB may not be configured with TLS support'.freeze
 
     # Error message for timeouts on socket calls.
     #
@@ -129,7 +132,7 @@ module Mongo
       sock_arr = [ @socket ]
       if Kernel::select(sock_arr, nil, sock_arr, 0)
         # The eof? call is supposed to return immediately since select
-        # indicated the socket is readable. However, if @socket is an SSL
+        # indicated the socket is readable. However, if @socket is a TLS
         # socket, eof? can block anyway - see RUBY-2140.
         begin
           Timeout.timeout(0.1) do
@@ -152,7 +155,14 @@ module Mongo
     #
     # @since 2.0.0
     def close
-      @socket.close rescue nil
+      begin
+        # Sometimes it seems the close call can hang for a long time
+        ::Timeout.timeout(5) do
+          @socket.close
+        end
+      rescue
+        # Silence all errors
+      end
       true
     end
 
@@ -324,8 +334,21 @@ module Mongo
         else
           select_args = [nil, [@socket], [@socket], select_timeout]
         end
-        unless Kernel::select(*select_args)
-          raise Errno::ETIMEDOUT, "Took more than #{_timeout} seconds to receive data"
+        rv = Kernel.select(*select_args)
+        if BSON::Environment.jruby?
+          # Ignore the return value of Kernel.select.
+          # On JRuby, select appears to return nil prior to timeout expiration
+          # (apparently due to a EAGAIN) which then causes us to fail the read
+          # even though we could have retried it.
+          # Check the deadline ourselves.
+          if deadline
+            select_timeout = deadline - Time.now
+            if select_timeout <= 0
+              raise Errno::ETIMEDOUT, "Took more than #{_timeout} seconds to receive data"
+            end
+          end
+        elsif rv.nil?
+          raise Errno::ETIMEDOUT, "Took more than #{_timeout} seconds to receive data (select call timed out)"
         end
         retry
       end
@@ -342,7 +365,7 @@ module Mongo
     end
 
     def read_buffer_size
-      # Buffer size for non-SSL reads
+      # Buffer size for non-TLS reads
       # 64kb
       65536
     end
@@ -396,6 +419,10 @@ module Mongo
       set_option(sock, :TCP_KEEPCNT, DEFAULT_TCP_KEEPCNT)
       set_option(sock, :TCP_KEEPIDLE, DEFAULT_TCP_KEEPIDLE)
     rescue
+      # JRuby 9.2.13.0 and lower do not define TCP_KEEPINTVL etc. constants.
+      # JRuby 9.2.14.0 defines the constants but does not allow to get or
+      # set them with this error:
+      # Errno::ENOPROTOOPT: Protocol not available - Protocol not available
     end
 
     def set_option(sock, option, default)
@@ -420,7 +447,7 @@ module Mongo
       rescue IOError, SystemCallError => e
         raise Error::SocketError, "#{e.class}: #{e} (for #{human_address})"
       rescue OpenSSL::SSL::SSLError => e
-        raise Error::SocketError, "#{e.class}: #{e} (for #{human_address}) (#{SSL_ERROR})"
+        raise Error::SocketError, "#{e.class}: #{e} (for #{human_address})"
       end
     end
 

data/lib/mongo/socket/ocsp_cache.rb

@@ -0,0 +1,97 @@
+# Copyright (C) 2020 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  class Socket
+
+    # This module caches OCSP responses for their indicated validity time.
+    #
+    # The key is the CertificateId used for the OCSP request.
+    # The value is the SingleResponse on Ruby 2.4+, or the OpenStruct
+    # emulation of it on Ruby 2.3.
+    #
+    # @api private
+    module OcspCache
+      module_function def set(cert_id, response)
+        delete(cert_id)
+        responses << response
+      end
+
+      # Retrieves a cached SingleResponse for the specified CertificateId.
+      #
+      # This method may return expired responses if they are revoked.
+      # Such responses were valid when they were first received.
+      #
+      # This method may also return responses that are valid but that may
+      # expire by the time caller uses them. The caller should not perform
+      # update time checks on the returned response.
+      #
+      # @return [ OpenSSL::OCSP::SingleResponse | OpenStruct ] The previously
+      #   retrieved response.
+      module_function def get(cert_id)
+        resp = responses.detect do |resp|
+          resp.certid.cmp(cert_id)
+        end
+        if resp
+          # Only expire responses with good status.
+          # Once a certificate is revoked, it should stay revoked forever,
+          # hence we should be able to cache revoked responses indefinitely.
+          if resp.cert_status == OpenSSL::OCSP::V_CERTSTATUS_GOOD &&
+            resp.next_update < Time.now
+          then
+            responses.delete(resp)
+            resp = nil
+          end
+        end
+
+        # If we have connected to a server and cached the OCSP response for it,
+        # and then never connect to that server again, the cached OCSP response
+        # is going to remain in memory indefinitely. Periodically remove all
+        # expired OCSP responses, not just the ones matching the certificate id
+        # we are querying by.
+        if rand < 0.01
+          responses.delete_if do |resp|
+            resp.next_update < Time.now
+          end
+        end
+
+        resp
+      end
+
+      module_function def delete(cert_id)
+        responses.delete_if do |resp|
+          resp.certid.cmp(cert_id)
+        end
+      end
+
+      # Clears the driver's OCSP response cache.
+      #
+      # @note Use Mongo.clear_ocsp_cache from applications instead of invoking
+      #   this method directly.
+      module_function def clear
+        responses.replace([])
+      end
+
+      private
+
+      LOCK = Mutex.new
+
+      module_function def responses
+        LOCK.synchronize do
+          @responses ||= []
+        end
+      end
+    end
+  end
+end

data/lib/mongo/socket/ocsp_verifier.rb

@@ -0,0 +1,368 @@
+# Copyright (C) 2020 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Net
+  autoload :HTTP, 'net/http'
+end
+
+module Mongo
+  class Socket
+
+    # OCSP endpoint verifier.
+    #
+    # After a TLS connection is established, this verifier inspects the
+    # certificate presented by the server, and if the certificate contains
+    # an OCSP URI, performs the OCSP status request to the specified URI
+    # (following up to 5 redirects) to verify the certificate status.
+    #
+    # @see https://ruby-doc.org/stdlib/libdoc/openssl/rdoc/OpenSSL/OCSP.html
+    #
+    # @api private
+    class OcspVerifier
+      include Loggable
+
+      # @param [ String ] host_name The host name being verified, for
+      #   diagnostic output.
+      # @param [ OpenSSL::X509::Certificate ] cert The certificate presented by
+      #   the server at host_name.
+      # @param [ OpenSSL::X509::Certificate ] ca_cert The CA certificate
+      #   presented by the server or resolved locally from the server
+      #   certificate.
+      # @param [ OpenSSL::X509::Store ] cert_store The certificate store to
+      #   use for verifying OCSP response. This should be the same store as
+      #   used in SSLContext used with the SSLSocket that we are verifying the
+      #   certificate for. This must NOT be the CA certificate provided by
+      #   the server (i.e. anything taken out of peer_cert) - otherwise the
+      #   server would dictate which CA authorities the client trusts.
+      def initialize(host_name, cert, ca_cert, cert_store, **opts)
+        @host_name = host_name
+        @cert = cert
+        @ca_cert = ca_cert
+        @cert_store = cert_store
+        @options = opts
+      end
+
+      attr_reader :host_name
+      attr_reader :cert
+      attr_reader :ca_cert
+      attr_reader :cert_store
+      attr_reader :options
+
+      def timeout
+        options[:timeout] || 5
+      end
+
+      # @return [ Array<String> ] OCSP URIs in the specified server certificate.
+      def ocsp_uris
+        @ocsp_uris ||= begin
+          # https://tools.ietf.org/html/rfc3546#section-2.3
+          # prohibits multiple extensions with the same oid.
+          ext = cert.extensions.detect do |ext|
+            ext.oid == 'authorityInfoAccess'
+          end
+
+          if ext
+            # Our test certificates have multiple OCSP URIs.
+            ext.value.split("\n").select do |line|
+              line.start_with?('OCSP - URI:')
+            end.map do |line|
+              line.split(':', 2).last
+            end
+          else
+            []
+          end
+        end
+      end
+
+      def cert_id
+        @cert_id ||= OpenSSL::OCSP::CertificateId.new(
+          cert,
+          ca_cert,
+          OpenSSL::Digest::SHA1.new,
+        )
+      end
+
+      def verify_with_cache
+        handle_exceptions do
+          return false if ocsp_uris.empty?
+
+          resp = OcspCache.get(cert_id)
+          if resp
+            return return_ocsp_response(resp)
+          end
+
+          resp, errors = do_verify
+
+          if resp
+            OcspCache.set(cert_id, resp)
+          end
+
+          return_ocsp_response(resp, errors)
+        end
+      end
+
+      # @return [ true | false ] Whether the certificate was verified.
+      #
+      # @raise [ Error::ServerCertificateRevoked ] If the certificate was
+      #   definitively revoked.
+      def verify
+        handle_exceptions do
+          return false if ocsp_uris.empty?
+
+          resp, errors = do_verify
+          return_ocsp_response(resp, errors)
+        end
+      end
+
+      private
+
+      def do_verify
+        # This synchronized array contains definitive pass/fail responses
+        # obtained from the responders. We'll take the first one but due to
+        # concurrency multiple responses may be produced and queued.
+        @resp_queue = Queue.new
+
+        # This synchronized array contains strings, one per responder, that
+        # explain why each responder hasn't produced a definitive response.
+        # These are concatenated and logged if none of the responders produced
+        # a definitive respnose, or if the main thread times out waiting for
+        # a definitive response (in which case some of the worker threads'
+        # diagnostics may be logged and some may not).
+        @resp_errors = Queue.new
+
+        @req = OpenSSL::OCSP::Request.new
+        @req.add_certid(cert_id)
+        @req.add_nonce
+        @serialized_req = @req.to_der
+
+        @outstanding_requests = ocsp_uris.count
+        @outstanding_requests_lock = Mutex.new
+
+        threads = ocsp_uris.map do |uri|
+          Thread.new do
+            verify_one_responder(uri)
+          end
+        end
+
+        resp = begin
+          ::Timeout.timeout(timeout) do
+            @resp_queue.shift
+          end
+        rescue ::Timeout::Error
+          nil
+        end
+
+        threads.map(&:kill)
+        threads.map(&:join)
+
+        [resp, @resp_errors]
+      end
+
+      def verify_one_responder(uri)
+        original_uri = uri
+        redirect_count = 0
+        http_response = nil
+        loop do
+          http_response = begin
+            uri = URI(uri)
+            Net::HTTP.start(uri.hostname, uri.port) do |http|
+              path = uri.path
+              if path.empty?
+                path = '/'
+              end
+              http.post(path, @serialized_req,
+                'content-type' => 'application/ocsp-request')
+            end
+          rescue IOError, SystemCallError => e
+            @resp_errors << "OCSP request to #{report_uri(original_uri, uri)} failed: #{e.class}: #{e}"
+            return false
+          end
+
+          code = http_response.code.to_i
+          if (300..399).include?(code)
+            redirected_uri = http_response.header['location']
+            uri = ::URI.join(uri, redirected_uri)
+            redirect_count += 1
+            if redirect_count > 5
+              @resp_errors << "OCSP request to #{report_uri(original_uri, uri)} failed: too many redirects (6)"
+              return false
+            end
+            next
+          end
+
+          if code >= 400
+            @resp_errors << "OCSP request to #{report_uri(original_uri, uri)} failed with HTTP status code #{http_response.code}" + report_response_body(http_response.body)
+            return false
+          end
+
+          if code != 200
+            # There must be a body provided with the response, if one isn't
+            # provided the response cannot be verified.
+            @resp_errors << "OCSP request to #{report_uri(original_uri, uri)} failed with unexpected HTTP status code #{http_response.code}" + report_response_body(http_response.body)
+            return false
+          end
+
+          break
+        end
+
+        resp = OpenSSL::OCSP::Response.new(http_response.body).basic
+        unless resp.verify([ca_cert], cert_store)
+          # Ruby's OpenSSL binding discards error information - see
+          # https://github.com/ruby/openssl/issues/395
+          @resp_errors << "OCSP response from #{report_uri(original_uri, uri)} failed signature verification; set `OpenSSL.debug = true` to see why"
+          return false
+        end
+
+        if @req.check_nonce(resp) == 0
+          @resp_errors << "OCSP response from #{report_uri(original_uri, uri)} included invalid nonce"
+          return false
+        end
+
+        if resp.respond_to?(:find_response)
+          # Ruby 2.4+
+          resp = resp.find_response(cert_id)
+          # TODO make a new class instead of patching the stdlib one?
+          resp.instance_variable_set('@uri', uri)
+          resp.instance_variable_set('@original_uri', original_uri)
+          class << resp
+            attr_reader :uri, :original_uri
+          end
+        else
+          # Ruby 2.3
+          found = nil
+          resp.status.each do |_cert_id, cert_status, revocation_reason, revocation_time, this_update, next_update, extensions|
+            if _cert_id.cmp(cert_id)
+              found = OpenStruct.new(
+                cert_status: cert_status,
+                certid: _cert_id,
+                next_update: next_update,
+                this_update: this_update,
+                revocation_reason: revocation_reason,
+                revocation_time: revocation_time,
+                extensions: extensions,
+                uri: uri,
+                original_uri: original_uri,
+              )
+              class << found
+                # Unlike the stdlib method, this one doesn't accept
+                # any arguments.
+                def check_validity
+                  now = Time.now
+                  this_update <= now && next_update >= now
+                end
+              end
+              break
+            end
+          end
+          resp = found
+        end
+
+        unless resp
+          @resp_errors << "OCSP response from #{report_uri(original_uri, uri)} did not include information about the requested certificate"
+          return false
+        end
+
+        unless resp.check_validity
+          @resp_errors << "OCSP response from #{report_uri(original_uri, uri)} was invalid: this_update was in the future or next_update time has passed"
+          return false
+        end
+
+        unless [
+          OpenSSL::OCSP::V_CERTSTATUS_GOOD,
+          OpenSSL::OCSP::V_CERTSTATUS_REVOKED,
+        ].include?(resp.cert_status)
+          @resp_errors << "OCSP response from #{report_uri(original_uri, uri)} had a non-definitive status: #{resp.cert_status}"
+          return false
+        end
+
+        # Note this returns the redirected URI
+        @resp_queue << resp
+      rescue => exc
+        Utils.warn_bg_exception("Error performing OCSP verification for '#{host_name}' via '#{uri}'", exc,
+          logger: options[:logger],
+          log_prefix: options[:log_prefix],
+          bg_error_backtrace: options[:bg_error_backtrace],
+        )
+        false
+      ensure
+        @outstanding_requests_lock.synchronize do
+          @outstanding_requests -= 1
+          if @outstanding_requests == 0
+            @resp_queue << nil
+          end
+        end
+      end
+
+      def return_ocsp_response(resp, errors = nil)
+        if resp
+          if resp.cert_status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+            raise_revoked_error(resp)
+          end
+          true
+        else
+          reasons = []
+          errors.length.times do
+            reasons << errors.shift
+          end
+          if reasons.empty?
+            msg = "No responses from responders: #{ocsp_uris.join(', ')} within #{timeout} seconds"
+          else
+            msg = "For responders #{ocsp_uris.join(', ')} with a timeout of #{timeout} seconds: #{reasons.join(', ')}"
+          end
+          log_warn("TLS certificate of '#{host_name}' could not be definitively verified via OCSP: #{msg}")
+          false
+        end
+      end
+
+      def handle_exceptions
+        begin
+          yield
+        rescue Error::ServerCertificateRevoked
+          raise
+        rescue => exc
+          Utils.warn_bg_exception(
+            "Error performing OCSP verification for '#{host_name}'",
+            exc,
+            **options)
+          false
+        end
+      end
+
+      def raise_revoked_error(resp)
+        if resp.uri == resp.original_uri
+          redirect = ''
+        else
+          redirect = " (redirected from #{resp.original_uri})"
+        end
+        raise Error::ServerCertificateRevoked, "TLS certificate of '#{host_name}' has been revoked according to '#{resp.uri}'#{redirect} for reason '#{resp.revocation_reason}' at '#{resp.revocation_time}'"
+      end
+
+      def report_uri(original_uri, uri)
+        if URI(uri) == URI(original_uri)
+          uri
+        else
+          "#{original_uri} (redirected to #{uri})"
+        end
+      end
+
+      def report_response_body(body)
+        if body
+          ": #{body}"
+        else
+          ''
+        end
+      end
+    end
+  end
+end