diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-03 23:17:42 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-31 11:10:15 -0400 |
commit | 8c1de7e08de30a38f3d878118248735e6e2ea72a (patch) | |
tree | 8280b05cb4eec4f59ca01f9936476235409d9eae | |
parent | 573f92bd3567a70f2b6bdc8295a9d230dec1cf04 (diff) | |
download | mongo-8c1de7e08de30a38f3d878118248735e6e2ea72a.tar.gz |
SERVER-37135: Track and report TLS 1.3
(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7)
-rw-r--r-- | jstests/ssl/libs/ssl_helpers.js | 27 | ||||
-rw-r--r-- | jstests/ssl/ssl_count_protocols.js | 32 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 16 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.h | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_status.cpp | 2 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 4 |
7 files changed, 81 insertions, 6 deletions
diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js index ee5d4f05a92..758bc2cd26a 100644 --- a/jstests/ssl/libs/ssl_helpers.js +++ b/jstests/ssl/libs/ssl_helpers.js @@ -174,3 +174,30 @@ function mixedShardTest(options1, options2, shouldSucceed) { } } } + +function detectDefaultTLSProtocol() { + const conn = MongoRunner.runMongod({ + sslMode: 'allowSSL', + sslPEMKeyFile: SERVER_CERT, + sslDisabledProtocols: 'none', + useLogFiles: true, + tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3", + }); + + const res = conn.getDB("admin").serverStatus().transportSecurity; + + MongoRunner.stopMongod(conn); + + // Verify that the default protocol is either TLS1.2 or TLS1.3. + // No supported platform should default to an older protocol version. + assert.eq(0, res["1.0"]); + assert.eq(0, res["1.1"]); + assert.eq(0, res["unknown"]); + assert.neq(res["1.2"], res["1.3"]); + + if (res["1.2"].tojson() != NumberLong(0).tojson()) { + return "TLS1_2"; + } else { + return "TLS1_3"; + } +} diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js index ae21894eee0..a9e3202c30f 100644 --- a/jstests/ssl/ssl_count_protocols.js +++ b/jstests/ssl/ssl_count_protocols.js @@ -2,23 +2,35 @@ (function() { 'use strict'; + load("jstests/ssl/libs/ssl_helpers.js"); + var SERVER_CERT = "jstests/libs/server.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; var CA_CERT = "jstests/libs/ca.pem"; + const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"]; + + // First, figure out what protocol our local TLS stack wants to speak. + // We're going to observe a connection of this type from the testrunner. + const expectedDefaultProtocol = detectDefaultTLSProtocol(); + print("Expected default protocol: " + expectedDefaultProtocol); + function runTestWithoutSubset(client) { - let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"]; - let expectedCounts = [0, 0, 1]; + print("Running test: " + client); + let disabledProtocols = protocols.slice(); + let expectedCounts = [0, 0, 0, 0, 0]; + expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1; var index = disabledProtocols.indexOf(client); disabledProtocols.splice(index, 1); expectedCounts[index] += 1; + print(tojson(expectedCounts)); const conn = MongoRunner.runMongod({ sslMode: 'allowSSL', sslPEMKeyFile: SERVER_CERT, sslDisabledProtocols: 'none', useLogFiles: true, - tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2", + tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3", }); print(disabledProtocols); @@ -43,8 +55,21 @@ 'a[one] = NumberLong(' + expectedCounts[0] + ');' + 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' + 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' + + 'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' + + 'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' + 'assert.eq(db.serverStatus().transportSecurity, a);'); + if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") { + // If the runtime environment does not support TLS 1.3, a client cannot connect to a + // server if TLS 1.3 is its only usable protocol version. + assert.neq( + 0, + exitStatus, + "A client which does not support TLS 1.3 should not be able to connect with it"); + MongoRunner.stopMongod(conn); + return; + } + assert.eq(0, exitStatus, ""); print(`Checking ${conn.fullOptions.logFile} for TLS version message`); @@ -73,5 +98,6 @@ runTestWithoutSubset("TLS1_0"); runTestWithoutSubset("TLS1_1"); runTestWithoutSubset("TLS1_2"); + runTestWithoutSubset("TLS1_3"); })(); diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 2a4c5a32f44..35353a81228 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -229,6 +229,9 @@ UniqueBIO makeUniqueMemBio(std::vector<std::uint8_t>& v) { #ifndef SSL_OP_NO_TLSv1_2 #define SSL_OP_NO_TLSv1_2 0 #endif +#ifndef SSL_OP_NO_TLSv1_3 +#define SSL_OP_NO_TLSv1_3 0 +#endif // clang-format off #ifndef MONGO_CONFIG_HAVE_ASN1_ANY_DEFINITIONS @@ -944,6 +947,8 @@ Status SSLManager::initSSLContext(SSL_CTX* context, supportedProtocols |= SSL_OP_NO_TLSv1_1; } else if (protocol == SSLParams::Protocols::TLS1_2) { supportedProtocols |= SSL_OP_NO_TLSv1_2; + } else if (protocol == SSLParams::Protocols::TLS1_3) { + supportedProtocols |= SSL_OP_NO_TLSv1_3; } } ::SSL_CTX_set_options(context, supportedProtocols); @@ -1680,9 +1685,18 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) { versionString = "1.2"_sd; } break; + case TLSVersion::kTLS13: + counts.tls13.addAndFetch(1); + if (std::find(sslGlobalParams.tlsLogVersions.cbegin(), + sslGlobalParams.tlsLogVersions.cend(), + SSLParams::Protocols::TLS1_3) != sslGlobalParams.tlsLogVersions.cend()) { + versionString = "1.3"_sd; + } + break; default: + counts.tlsUnknown.addAndFetch(1); if (!sslGlobalParams.tlsLogVersions.empty()) { - versionString = "unkown"_sd; + versionString = "unknown"_sd; } break; } diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 68827d322de..b0039826240 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -108,9 +108,11 @@ const ASN1OID mongodbRolesOID("1.3.6.1.4.1.34601.2.1.1", * Counts of negogtiated version used by TLS connections. */ struct TLSVersionCounts { + AtomicInt64 tlsUnknown; AtomicInt64 tls10; AtomicInt64 tls11; AtomicInt64 tls12; + AtomicInt64 tls13; static TLSVersionCounts& get(); }; @@ -232,6 +234,7 @@ enum class TLSVersion { kTLS10, kTLS11, kTLS12, + kTLS13, }; /** diff --git a/src/mongo/util/net/ssl_manager_status.cpp b/src/mongo/util/net/ssl_manager_status.cpp index e6be8d30c6a..b516290efdc 100644 --- a/src/mongo/util/net/ssl_manager_status.cpp +++ b/src/mongo/util/net/ssl_manager_status.cpp @@ -62,6 +62,8 @@ public: builder.append("1.0", counts.tls10.load()); builder.append("1.1", counts.tls11.load()); builder.append("1.2", counts.tls12.load()); + builder.append("1.3", counts.tls13.load()); + builder.append("unknown", counts.tlsUnknown.load()); return builder.obj(); } } tlsVersionStatus; diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 147bf971998..39d52dbbf30 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -153,6 +153,7 @@ Status storeTLSLogVersion(const std::string& loggedProtocols) { {"TLS1_0", SSLParams::Protocols::TLS1_0}, {"TLS1_1", SSLParams::Protocols::TLS1_1}, {"TLS1_2", SSLParams::Protocols::TLS1_2}, + {"TLS1_3", SSLParams::Protocols::TLS1_3}, }; // Map the tokens to their enum values, and push them onto the list of logged protocols. @@ -300,6 +301,7 @@ Status storeDisabledProtocols(const std::string& disabledProtocols, {"TLS1_0", SSLParams::Protocols::TLS1_0}, {"TLS1_1", SSLParams::Protocols::TLS1_1}, {"TLS1_2", SSLParams::Protocols::TLS1_2}, + {"TLS1_3", SSLParams::Protocols::TLS1_3}, }; // These noTLS* tokens exist for backwards compatibility. @@ -307,6 +309,7 @@ Status storeDisabledProtocols(const std::string& disabledProtocols, {"noTLS1_0", SSLParams::Protocols::TLS1_0}, {"noTLS1_1", SSLParams::Protocols::TLS1_1}, {"noTLS1_2", SSLParams::Protocols::TLS1_2}, + {"noTLS1_3", SSLParams::Protocols::TLS1_3}, }; // Map the tokens to their enum values, and push them onto the list of disabled protocols. diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index b6816bf27ed..5684e37636e 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -44,8 +44,8 @@ class Environment; } // namespace optionenvironment struct SSLParams { - enum class Protocols { TLS1_0, TLS1_1, TLS1_2 }; - AtomicInt32 sslMode; // --sslMode - the SSL operation mode, see enum SSLModes + enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 }; + AtomicInt32 sslMode; // --sslMode - the TLS operation mode, see enum SSLModes std::string sslPEMTempDHParam; // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file // with DH parameters. std::string sslPEMKeyFile; // --sslPEMKeyFile |