summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Shuvalov <andrew.shuvalov@mongodb.com>2021-02-05 02:59:19 +0000
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2021-02-11 14:45:36 +0000
commit8e1cd3402cc0c27d1332ac78a93919bd17d3d556 (patch)
treef21e2835f5baeb47d2e3e8a662e0cd1cbbd91ce7
parente9b02873749f2331f1853d00e13c8a67b39bf53a (diff)
downloadmongo-8e1cd3402cc0c27d1332ac78a93919bd17d3d556.tar.gz
SERVER-54328: Refactor creation of transient SSLConnectionContext to own its own instance of SSLManagerInterface
Diffstat
-rw-r--r--src/mongo/transport/transport_layer_asio.cpp31
-rw-r--r--src/mongo/transport/transport_layer_asio.h9
-rw-r--r--src/mongo/util/net/ssl_manager.cpp6
-rw-r--r--src/mongo/util/net/ssl_manager.h36
-rw-r--r--src/mongo/util/net/ssl_manager_apple.cpp16
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp74
-rw-r--r--src/mongo/util/net/ssl_manager_test.cpp49
-rw-r--r--src/mongo/util/net/ssl_manager_windows.cpp17
8 files changed, 145 insertions, 93 deletions
diff --git a/src/mongo/transport/transport_layer_asio.cpp b/src/mongo/transport/transport_layer_asio.cpp
index 60d66c0c04b..205a3066949 100644
--- a/src/mongo/transport/transport_layer_asio.cpp
+++ b/src/mongo/transport/transport_layer_asio.cpp
@@ -1229,8 +1229,7 @@ SSLParams::SSLModes TransportLayerASIO::_sslMode() const {
Status TransportLayerASIO::rotateCertificates(std::shared_ptr<SSLManagerInterface> manager,
bool asyncOCSPStaple) {
- auto contextOrStatus =
- _createSSLContext(manager, _sslMode(), TransientSSLParams(), asyncOCSPStaple);
+ auto contextOrStatus = _createSSLContext(manager, _sslMode(), asyncOCSPStaple);
if (!contextOrStatus.isOK()) {
return contextOrStatus.getStatus();
}
@@ -1241,7 +1240,6 @@ Status TransportLayerASIO::rotateCertificates(std::shared_ptr<SSLManagerInterfac
StatusWith<std::shared_ptr<const transport::SSLConnectionContext>>
TransportLayerASIO::_createSSLContext(std::shared_ptr<SSLManagerInterface>& manager,
SSLParams::SSLModes sslMode,
- TransientSSLParams transientEgressSSLParams,
bool asyncOCSPStaple) const {
std::shared_ptr<SSLConnectionContext> newSSLContext = std::make_shared<SSLConnectionContext>();
@@ -1254,7 +1252,6 @@ TransportLayerASIO::_createSSLContext(std::shared_ptr<SSLManagerInterface>& mana
Status status = newSSLContext->manager->initSSLContext(
newSSLContext->ingress->native_handle(),
sslParams,
- TransientSSLParams(), // Ingress is not using transient params, they are egress.
SSLManagerInterface::ConnectionDirection::kIncoming);
if (!status.isOK()) {
return status;
@@ -1271,28 +1268,17 @@ TransportLayerASIO::_createSSLContext(std::shared_ptr<SSLManagerInterface>& mana
}
if (_listenerOptions.isEgress() && newSSLContext->manager) {
- if (!transientEgressSSLParams.sslClusterPEMPayload.empty()) {
- LOGV2_DEBUG(5270602,
- 2,
- "Initializing transient egress SSL context",
- "targetClusterConnectionString"_attr =
- transientEgressSSLParams.targetedClusterConnectionString);
- }
-
newSSLContext->egress = std::make_unique<asio::ssl::context>(asio::ssl::context::sslv23);
Status status = newSSLContext->manager->initSSLContext(
newSSLContext->egress->native_handle(),
sslParams,
- transientEgressSSLParams,
SSLManagerInterface::ConnectionDirection::kOutgoing);
if (!status.isOK()) {
return status;
}
- if (!transientEgressSSLParams.sslClusterPEMPayload.empty()) {
- if (transientEgressSSLParams.targetedClusterConnectionString) {
- newSSLContext->targetClusterURI =
- transientEgressSSLParams.targetedClusterConnectionString.toString();
- }
+ if (newSSLContext->manager->isTransient()) {
+ newSSLContext->targetClusterURI =
+ newSSLContext->manager->getTargetedClusterConnectionString();
}
}
return newSSLContext;
@@ -1300,12 +1286,17 @@ TransportLayerASIO::_createSSLContext(std::shared_ptr<SSLManagerInterface>& mana
StatusWith<std::shared_ptr<const transport::SSLConnectionContext>>
TransportLayerASIO::createTransientSSLContext(const TransientSSLParams& transientSSLParams) {
- auto manager = getSSLManager();
+ auto coordinator = SSLManagerCoordinator::get();
+ if (!coordinator) {
+ return Status(ErrorCodes::InvalidSSLConfiguration,
+ "SSLManagerCoordinator is not initialized");
+ }
+ auto manager = coordinator->createTransientSSLManager(transientSSLParams);
if (!manager) {
return Status(ErrorCodes::InvalidSSLConfiguration, "TransportLayerASIO has no SSL manager");
}
- return _createSSLContext(manager, _sslMode(), transientSSLParams, true /* asyncOCSPStaple */);
+ return _createSSLContext(manager, _sslMode(), true /* asyncOCSPStaple */);
}
#endif
diff --git a/src/mongo/transport/transport_layer_asio.h b/src/mongo/transport/transport_layer_asio.h
index 04d2d136427..3ed909f1801 100644
--- a/src/mongo/transport/transport_layer_asio.h
+++ b/src/mongo/transport/transport_layer_asio.h
@@ -152,14 +152,6 @@ public:
Status rotateCertificates(std::shared_ptr<SSLManagerInterface> manager,
bool asyncOCSPStaple) override;
- std::shared_ptr<SSLManagerInterface> getSSLManager() {
- auto sslContext = _sslContext.get();
- if (!sslContext) {
- return std::shared_ptr<SSLManagerInterface>{};
- }
- return sslContext->manager;
- }
-
/**
* Creates a transient SSL context using targeted (non default) SSL params.
* @param transientSSLParams overrides any value in stored SSLConnectionContext.
@@ -191,7 +183,6 @@ private:
StatusWith<std::shared_ptr<const transport::SSLConnectionContext>> _createSSLContext(
std::shared_ptr<SSLManagerInterface>& manager,
SSLParams::SSLModes sslMode,
- TransientSSLParams transientEgressSSLParams,
bool asyncOCSPStaple) const;
void _runListener() noexcept;
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index d80d882fe87..31a858c8910 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -330,6 +330,12 @@ SSLManagerCoordinator* SSLManagerCoordinator::get() {
return theSSLManagerCoordinator;
}
+std::shared_ptr<SSLManagerInterface> SSLManagerCoordinator::createTransientSSLManager(
+ const TransientSSLParams& transientSSLParams) const {
+ return SSLManagerInterface::create(
+ sslGlobalParams, transientSSLParams, false /* isSSLServer */);
+}
+
std::shared_ptr<SSLManagerInterface> SSLManagerCoordinator::getSSLManager() {
return *_manager;
}
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index b7cfd8b8099..567011971b5 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -208,7 +208,16 @@ class SSLManagerInterface : public Decorable<SSLManagerInterface> {
public:
/**
* Creates an instance of SSLManagerInterface.
- * Note: as we normally have one instance of the manager, it cannot take TransientSSLParams.
+ * Note: if 'transientSSLParams' is set, this will create a transient instance of the manager,
+ * otherwise, normally, this will be a global instance.
+ */
+ static std::shared_ptr<SSLManagerInterface> create(
+ const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer);
+
+ /**
+ * Creates an instance of SSLManagerInterface without transient SSL params.
*/
static std::shared_ptr<SSLManagerInterface> create(const SSLParams& params, bool isServer);
@@ -250,6 +259,23 @@ public:
*/
virtual const SSLConfiguration& getSSLConfiguration() const = 0;
+ /**
+ * @return true if this manager was created with 'transientSSLParams' to authenticate with
+ * a particular remote cluster.
+ */
+ virtual bool isTransient() const {
+ return false;
+ }
+
+ /**
+ * @return Connection string for the remote cluster if this manager is transient (isTransient()
+ * == true), otherwise returns empty string.
+ */
+ virtual std::string getTargetedClusterConnectionString() const {
+ invariant(!isTransient());
+ return {};
+ }
+
#if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL
/**
* Fetches the error text for an error code, in a thread-safe manner.
@@ -293,7 +319,6 @@ public:
*/
virtual Status initSSLContext(SSLContextType context,
const SSLParams& params,
- const TransientSSLParams& transientParams,
ConnectionDirection direction) = 0;
/**
@@ -350,6 +375,13 @@ public:
std::shared_ptr<SSLManagerInterface> getSSLManager();
/**
+ * Create a transient instance of SSL Manager.
+ * Ownership of the new manager is passed to the invoker.
+ */
+ std::shared_ptr<SSLManagerInterface> createTransientSSLManager(
+ const TransientSSLParams& transientSSLParams) const;
+
+ /**
* Perform certificate rotation safely.
*/
void rotate();
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 0fa197d3b65..7fae9426793 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1250,8 +1250,7 @@ public:
Status initSSLContext(asio::ssl::apple::Context* context,
const SSLParams& params,
- const TransientSSLParams& transientParams,
- ConnectionDirection direction) override final;
+ ConnectionDirection direction) final;
SSLConnectionInterface* connect(Socket* socket) final;
SSLConnectionInterface* accept(Socket* socket, const char* initialBytes, int len) final;
@@ -1310,16 +1309,14 @@ SSLManagerApple::SSLManagerApple(const SSLParams& params, bool isServer)
_allowInvalidHostnames(params.sslAllowInvalidHostnames),
_suppressNoCertificateWarning(params.suppressNoTLSPeerCertificateWarning) {
- uassertStatusOK(
- initSSLContext(&_clientCtx, params, TransientSSLParams(), ConnectionDirection::kOutgoing));
+ uassertStatusOK(initSSLContext(&_clientCtx, params, ConnectionDirection::kOutgoing));
if (_clientCtx.certs) {
_sslConfiguration.clientSubjectName =
uassertStatusOK(certificateGetSubject(_clientCtx.certs.get()));
}
if (isServer) {
- uassertStatusOK(initSSLContext(
- &_serverCtx, params, TransientSSLParams(), ConnectionDirection::kIncoming));
+ uassertStatusOK(initSSLContext(&_serverCtx, params, ConnectionDirection::kIncoming));
if (_serverCtx.certs) {
uassertStatusOK(
_sslConfiguration.setServerSubjectName(uassertStatusOK(certificateGetSubject(
@@ -1393,7 +1390,6 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL
Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context,
const SSLParams& params,
- const TransientSSLParams& transientParams,
ConnectionDirection direction) {
// Protocol Version.
const auto swProto = parseProtocolRange(params);
@@ -1826,8 +1822,10 @@ bool isSSLServer = false;
extern SSLManagerInterface* theSSLManager;
extern SSLManagerCoordinator* theSSLManagerCoordinator;
-std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(const SSLParams& params,
- bool isServer) {
+std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(
+ const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer) {
return std::make_shared<SSLManagerApple>(params, isServer);
}
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 1dfd01c5805..a786fb9c984 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1129,7 +1129,9 @@ private:
class SSLManagerOpenSSL : public SSLManagerInterface,
public std::enable_shared_from_this<SSLManagerOpenSSL> {
public:
- explicit SSLManagerOpenSSL(const SSLParams& params, bool isServer);
+ explicit SSLManagerOpenSSL(const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer);
~SSLManagerOpenSSL() {
stopJobs();
}
@@ -1140,7 +1142,6 @@ public:
*/
Status initSSLContext(SSL_CTX* context,
const SSLParams& params,
- const TransientSSLParams& transientParams,
ConnectionDirection direction) final;
SSLConnectionInterface* connect(Socket* socket) final;
@@ -1169,6 +1170,10 @@ public:
return _sslConfiguration;
}
+ bool isTransient() const final;
+
+ std::string getTargetedClusterConnectionString() const final;
+
int SSL_read(SSLConnectionInterface* conn, void* buf, int num) final;
int SSL_write(SSLConnectionInterface* conn, const void* buf, int num) final;
@@ -1198,6 +1203,9 @@ private:
bool _allowInvalidHostnames;
bool _suppressNoCertificateWarning;
SSLConfiguration _sslConfiguration;
+ // If set, this manager is an instance providing authentication with remote server specified
+ // with TransientSSLParams::targetedClusterConnectionString.
+ const std::optional<TransientSSLParams> _transientSSLParams;
Mutex _sharedResponseMutex = MONGO_MAKE_LATCH("OCSPStaplingJobRunner::_sharedResponseMutex");
std::shared_ptr<OCSPStaplingContext> _ocspStaplingContext;
@@ -1263,6 +1271,7 @@ private:
std::string _prompt;
};
+
PasswordFetcher _serverPEMPassword;
PasswordFetcher _clusterPEMPassword;
@@ -1444,9 +1453,17 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManager, ("SetupOpenSSL", "EndStartupOpt
}
}
+std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(
+ const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer) {
+ return std::make_shared<SSLManagerOpenSSL>(params, transientSSLParams, isServer);
+}
+
std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(const SSLParams& params,
bool isServer) {
- return std::make_shared<SSLManagerOpenSSL>(params, isServer);
+ return std::make_shared<SSLManagerOpenSSL>(
+ params, std::optional<TransientSSLParams>{}, isServer);
}
SSLX509Name getCertificateSubjectX509Name(X509* cert) {
@@ -1537,13 +1554,16 @@ SSLConnectionOpenSSL::~SSLConnectionOpenSSL() {
}
}
-SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, bool isServer)
+SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer)
: _serverContext(nullptr),
_clientContext(nullptr),
_weakValidation(params.sslWeakCertificateValidation),
_allowInvalidCertificates(params.sslAllowInvalidCertificates),
_allowInvalidHostnames(params.sslAllowInvalidHostnames),
_suppressNoCertificateWarning(params.suppressNoTLSPeerCertificateWarning),
+ _transientSSLParams(transientSSLParams),
_fetcher(this),
_serverPEMPassword(params.sslPEMKeyPassword, "Enter PEM passphrase"),
_clusterPEMPassword(params.sslClusterPassword, "Enter cluster certificate passphrase") {
@@ -1551,6 +1571,13 @@ SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, bool isServer)
uasserted(16768, "ssl initialization problem");
}
+ if (_transientSSLParams.has_value()) {
+ // No other initialization is necessary: this is egress connection manager that
+ // is not using local PEM files.
+ LOGV2_DEBUG(54090, 1, "Default params are ignored for transient SSL manager");
+ return;
+ }
+
// pick the certificate for use in outgoing connections,
std::string clientPEM;
PasswordFetcher* clientPassword;
@@ -2131,11 +2158,28 @@ Milliseconds SSLManagerOpenSSL::updateOcspStaplingContextWithResponse(
return swResponse.getValue().fetchNewResponseDuration();
}
+bool SSLManagerOpenSSL::isTransient() const {
+ return _transientSSLParams.has_value();
+}
+
+std::string SSLManagerOpenSSL::getTargetedClusterConnectionString() const {
+ if (_transientSSLParams.has_value()) {
+ return (*_transientSSLParams).targetedClusterConnectionString.toString();
+ }
+ return {};
+}
Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
const SSLParams& params,
- const TransientSSLParams& transientParams,
ConnectionDirection direction) {
+ if (isTransient()) {
+ LOGV2_DEBUG(5270602,
+ 2,
+ "Initializing transient egress SSL context",
+ "targetClusterConnectionString"_attr =
+ (*_transientSSLParams).targetedClusterConnectionString);
+ }
+
// SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's.
// SSL_OP_NO_SSLv2 - Disable SSL v2 support
// SSL_OP_NO_SSLv3 - Disable SSL v3 support
@@ -2197,24 +2241,24 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
}
- if (direction == ConnectionDirection::kOutgoing &&
- !transientParams.sslClusterPEMPayload.empty()) {
+ if (direction == ConnectionDirection::kOutgoing && _transientSSLParams) {
// Transient params for outgoing connection have priority over global params.
if (!_setupPEMFromMemoryPayload(
context,
- transientParams.sslClusterPEMPayload,
+ (*_transientSSLParams).sslClusterPEMPayload,
&_clusterPEMPassword,
- transientParams.targetedClusterConnectionString.toString())) {
+ (*_transientSSLParams).targetedClusterConnectionString.toString())) {
return Status(ErrorCodes::InvalidSSLConfiguration,
str::stream() << "Can not set up transient ssl cluster certificate for "
- << transientParams.targetedClusterConnectionString);
+ << (*_transientSSLParams).targetedClusterConnectionString);
}
- auto status = _parseAndValidateCertificateFromMemory(transientParams.sslClusterPEMPayload,
- &_clusterPEMPassword,
- &_sslConfiguration.clientSubjectName,
- nullptr);
+ auto status =
+ _parseAndValidateCertificateFromMemory((*_transientSSLParams).sslClusterPEMPayload,
+ &_clusterPEMPassword,
+ &_sslConfiguration.clientSubjectName,
+ nullptr);
if (!status.isOK()) {
return status.withContext("Could not validate transient certificate");
}
@@ -2317,7 +2361,7 @@ bool SSLManagerOpenSSL::_initSynchronousSSLContext(UniqueSSLContext* contextPtr,
ConnectionDirection direction) {
*contextPtr = UniqueSSLContext(SSL_CTX_new(SSLv23_method()));
- uassertStatusOK(initSSLContext(contextPtr->get(), params, TransientSSLParams(), direction));
+ uassertStatusOK(initSSLContext(contextPtr->get(), params, direction));
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
diff --git a/src/mongo/util/net/ssl_manager_test.cpp b/src/mongo/util/net/ssl_manager_test.cpp
index 3f84c03855c..183c5e2cae8 100644
--- a/src/mongo/util/net/ssl_manager_test.cpp
+++ b/src/mongo/util/net/ssl_manager_test.cpp
@@ -516,6 +516,11 @@ TEST(SSLManager, InitContextFromFileShouldFail) {
// We force the initialization to fail by omitting this param.
params.sslCAFile = "jstests/libs/ca.pem";
params.sslClusterFile = "jstests/libs/client.pem";
+#if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL
+ ASSERT_THROWS_CODE([&params] { SSLManagerInterface::create(params, true /* isSSLServer */); }(),
+ DBException,
+ ErrorCodes::InvalidSSLConfiguration);
+#endif
}
TEST(SSLManager, RotateClusterCertificatesFromFile) {
@@ -552,10 +557,8 @@ TEST(SSLManager, InitContextFromFile) {
SSLManagerInterface::create(params, false /* isSSLServer */);
auto egress = std::make_unique<asio::ssl::context>(asio::ssl::context::sslv23);
- uassertStatusOK(manager->initSSLContext(egress->native_handle(),
- params,
- TransientSSLParams(),
- SSLManagerInterface::ConnectionDirection::kOutgoing));
+ uassertStatusOK(manager->initSSLContext(
+ egress->native_handle(), params, SSLManagerInterface::ConnectionDirection::kOutgoing));
}
TEST(SSLManager, InitContextFromMemory) {
@@ -567,16 +570,15 @@ TEST(SSLManager, InitContextFromMemory) {
transientParams.sslClusterPEMPayload = loadFile("jstests/libs/client.pem");
std::shared_ptr<SSLManagerInterface> manager =
- SSLManagerInterface::create(params, false /* isSSLServer */);
+ SSLManagerInterface::create(params, transientParams, false /* isSSLServer */);
auto egress = std::make_unique<asio::ssl::context>(asio::ssl::context::sslv23);
- uassertStatusOK(manager->initSSLContext(egress->native_handle(),
- params,
- transientParams,
- SSLManagerInterface::ConnectionDirection::kOutgoing));
+ uassertStatusOK(manager->initSSLContext(
+ egress->native_handle(), params, SSLManagerInterface::ConnectionDirection::kOutgoing));
}
-TEST(SSLManager, InitServerSideContextFromMemory) {
+// Tests when 'is server' param to managed interface creation is set, it is ignored.
+TEST(SSLManager, IgnoreInitServerSideContextFromMemory) {
SSLParams params;
params.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
params.sslPEMKeyFile = "jstests/libs/server.pem";
@@ -586,13 +588,11 @@ TEST(SSLManager, InitServerSideContextFromMemory) {
transientParams.sslClusterPEMPayload = loadFile("jstests/libs/client.pem");
std::shared_ptr<SSLManagerInterface> manager =
- SSLManagerInterface::create(params, true /* isSSLServer */);
+ SSLManagerInterface::create(params, transientParams, true /* isSSLServer */);
auto egress = std::make_unique<asio::ssl::context>(asio::ssl::context::sslv23);
- uassertStatusOK(manager->initSSLContext(egress->native_handle(),
- params,
- transientParams,
- SSLManagerInterface::ConnectionDirection::kOutgoing));
+ uassertStatusOK(manager->initSSLContext(
+ egress->native_handle(), params, SSLManagerInterface::ConnectionDirection::kOutgoing));
}
TEST(SSLManager, TransientSSLParams) {
@@ -601,9 +601,6 @@ TEST(SSLManager, TransientSSLParams) {
params.sslCAFile = "jstests/libs/ca.pem";
params.sslClusterFile = "jstests/libs/client.pem";
- std::shared_ptr<SSLManagerInterface> manager =
- SSLManagerInterface::create(params, false /* isSSLServer */);
-
ServiceEntryPointUtil sepu;
auto options = [] {
@@ -618,17 +615,13 @@ TEST(SSLManager, TransientSSLParams) {
transientSSLParams.sslClusterPEMPayload = loadFile("jstests/libs/client.pem");
transientSSLParams.targetedClusterConnectionString = ConnectionString::forLocal();
- auto result = tla.createTransientSSLContext(transientSSLParams);
-
- // This will fail because we need to rotate certificates first to
- // initialize the default SSL context inside TransportLayerASIO.
- ASSERT_NOT_OK(result.getStatus());
-
- // Init the transport properly.
- uassertStatusOK(tla.rotateCertificates(manager, false /* asyncOCSPStaple */));
+ auto swContext = tla.createTransientSSLContext(transientSSLParams);
+ uassertStatusOK(swContext.getStatus());
- result = tla.createTransientSSLContext(transientSSLParams);
- uassertStatusOK(result.getStatus());
+ // Check that the manager owned by the transient context is also transient.
+ ASSERT_TRUE(swContext.getValue()->manager->isTransient());
+ ASSERT_EQ(transientSSLParams.targetedClusterConnectionString.toString(),
+ swContext.getValue()->manager->getTargetedClusterConnectionString());
}
#endif
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 6c912ce6d08..c7fad877e3f 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -269,8 +269,7 @@ public:
*/
Status initSSLContext(SCHANNEL_CRED* cred,
const SSLParams& params,
- const TransientSSLParams& transientParams,
- ConnectionDirection direction) override final;
+ ConnectionDirection direction) final;
SSLConnectionInterface* connect(Socket* socket) final;
@@ -393,8 +392,10 @@ SSLConnectionWindows::~SSLConnectionWindows() {}
// Global variable indicating if this is a server or a client instance
bool isSSLServer = false;
-std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(const SSLParams& params,
- bool isServer) {
+std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(
+ const SSLParams& params,
+ const std::optional<TransientSSLParams>& transientSSLParams,
+ bool isServer) {
return std::make_shared<SSLManagerWindows>(params, isServer);
}
@@ -416,8 +417,7 @@ SSLManagerWindows::SSLManagerWindows(const SSLParams& params, bool isServer)
uassertStatusOK(_loadCertificates(params));
- uassertStatusOK(
- initSSLContext(&_clientCred, params, TransientSSLParams(), ConnectionDirection::kOutgoing));
+ uassertStatusOK(initSSLContext(&_clientCred, params, ConnectionDirection::kOutgoing));
// Certificates may not have been loaded. This typically occurs in unit tests.
if (_clientCertificates[0] != nullptr) {
@@ -427,8 +427,7 @@ SSLManagerWindows::SSLManagerWindows(const SSLParams& params, bool isServer)
// SSL server specific initialization
if (isServer) {
- uassertStatusOK(initSSLContext(
- &_serverCred, params, TransientSSLParams(), ConnectionDirection::kIncoming));
+ uassertStatusOK(initSSLContext(&_serverCred, params, ConnectionDirection::kIncoming));
if (_serverCertificates[0] != nullptr) {
SSLX509Name subjectName;
@@ -1345,7 +1344,6 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) {
Status SSLManagerWindows::initSSLContext(SCHANNEL_CRED* cred,
const SSLParams& params,
- const TransientSSLParams& transientParams,
ConnectionDirection direction) {
memset(cred, 0, sizeof(*cred));
@@ -1440,7 +1438,6 @@ SSLConnectionInterface* SSLManagerWindows::accept(Socket* socket,
void SSLManagerWindows::_handshake(SSLConnectionWindows* conn, bool client) {
initSSLContext(conn->_cred,
getSSLGlobalParams(),
- TransientSSLParams(),
client ? SSLManagerInterface::ConnectionDirection::kOutgoing
: SSLManagerInterface::ConnectionDirection::kIncoming);
View Lorry Controller Status