From 6c62b60d5d7b93757dd8b7adb58e67b46ccc5524 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Fri, 8 Aug 2025 12:15:20 -0600
Subject: [PATCH] Gracefully handle the case where the issuer can't be found

---
 lib/mongo/socket/ssl.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/mongo/socket/ssl.rb b/lib/mongo/socket/ssl.rb
index 60853b8cb2..dd458c704e 100644
--- a/lib/mongo/socket/ssl.rb
+++ b/lib/mongo/socket/ssl.rb
@@ -23,6 +23,7 @@ class Socket
     # @since 2.0.0
     class SSL < Socket
       include OpenSSL
+      include Loggable
 
       # Initializes a new TLS socket.
       #
@@ -455,13 +456,16 @@ def verify_certificate!(socket)
       end
 
       def verify_ocsp_endpoint!(socket, timeout = nil)
-        unless verify_ocsp_endpoint?
-          return
-        end
+        return unless verify_ocsp_endpoint?
 
         cert = socket.peer_cert
         ca_cert = find_issuer(cert, socket.peer_cert_chain)
 
+        unless ca_cert
+          log_warn("TLS certificate of '#{host_name}' could not be definitively verified via OCSP: issuer certificate not found in the chain.")
+          return
+        end
+
         verifier = OcspVerifier.new(@host_name, cert, ca_cert, context.cert_store,
           **Utils.shallow_symbolize_keys(options).merge(timeout: timeout))
         verifier.verify_with_cache