SERVER-49826 Enable OCSP stapling on OpenSSL 1.0.1

7 files changed, 27 insertions, 34 deletions

diff --git a/etc/evergreen.yml b/etc/evergreen.yml
index 02b91889bcc..a774e8550e2 100644
--- a/etc/evergreen.yml
+++ b/etc/evergreen.yml
@@ -7091,7 +7091,7 @@ tasks:
 
 - <<: *task_template
   name: ocsp
-  tags: ["ssl", "ocsp"]
+  tags: ["ssl", "encrypt", "ocsp"]
   commands:
   - func: "do setup"
   - func: "run tests"
@@ -10888,7 +10888,7 @@ buildvariants:
   - name: compile_TG
     distros:
     - rhel70
-  - name: ssl_gen
+  - name: .ssl
   - name: jsCore
   - name: external_auth
 
diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js
index 062b25094c8..32c3c50ff7a 100644
--- a/jstests/ocsp/ocsp_connection_type_testing.js
+++ b/jstests/ocsp/ocsp_connection_type_testing.js
@@ -54,12 +54,6 @@ rstest.stopSet();
 
 mock_ocsp.stop();
 
-// The next few tests depend on stapling
-// being available.
-if (!supportsStapling()) {
-    return;
-}
-
 mock_ocsp = new MockOCSPServer();
 mock_ocsp.start();
 
diff --git a/jstests/ocsp/ocsp_must_staple.js b/jstests/ocsp/ocsp_must_staple.js
index 1cef7d23e3e..d6429671dc8 100644
--- a/jstests/ocsp/ocsp_must_staple.js
+++ b/jstests/ocsp/ocsp_must_staple.js
@@ -10,10 +10,6 @@ if (determineSSLProvider() !== "openssl") {
     return;
 }
 
-if (!supportsStapling()) {
-    return;
-}
-
 let mock_ocsp = new MockOCSPServer();
 mock_ocsp.start();
 
@@ -62,4 +58,4 @@ MongoRunner.stopMongod(conn);
 // sleep to make sure that the threads don't interfere with each other.
 sleep(1000);
 mock_ocsp.stop();
-}());
\ No newline at end of file
+}());
diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js
index 699f6e397f2..608d9368c35 100644
--- a/jstests/ocsp/ocsp_server_refresh.js
+++ b/jstests/ocsp/ocsp_server_refresh.js
@@ -10,10 +10,6 @@ if (determineSSLProvider() != "openssl") {
     return;
 }
 
-if (!supportsStapling()) {
-    return;
-}
-
 let mock_ocsp = new MockOCSPServer("", 20);
 mock_ocsp.start();
 
@@ -102,4 +98,4 @@ assert.doesNotThrow(() => {
 });
 
 MongoRunner.stopMongod(conn);
-}());
\ No newline at end of file
+}());
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 70e0809f6b2..fb21843ac61 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -10,10 +10,6 @@ if (determineSSLProvider() !== "openssl") {
     return;
 }
 
-if (!supportsStapling()) {
-    return;
-}
-
 function test(serverCert, caCert, responderCertPair) {
     const ocsp_options = {
         sslMode: "requireSSL",
@@ -90,4 +86,4 @@ function test(serverCert, caCert, responderCertPair) {
 test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER);
 test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
 test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
-}());
\ No newline at end of file
+}());
diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js
index 2c76f4be797..dbd37f2d088 100644
--- a/jstests/ssl/libs/ssl_helpers.js
+++ b/jstests/ssl/libs/ssl_helpers.js
@@ -364,10 +364,6 @@ function opensslVersionAsInt() {
     return version;
 }
 
-function supportsStapling() {
-    return opensslVersionAsInt() >= 0x01000200;
-}
-
 function copyCertificateFile(a, b) {
     if (_isWindows()) {
         // correctly replace forward slashes for Windows
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index db388313411..ab101fdd88d 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -477,6 +477,7 @@ public:
 
 using UniqueSSLContext =
     std::unique_ptr<SSL_CTX, OpenSSLDeleter<decltype(::SSL_CTX_free), ::SSL_CTX_free>>;
+using UniqueSSL = std::unique_ptr<SSL, OpenSSLDeleter<decltype(::SSL_free), ::SSL_free>>;
 static const int BUFFER_SIZE = 8 * 1024;
 
 using UniqueX509 = std::unique_ptr<X509, OpenSSLDeleter<decltype(X509_free), ::X509_free>>;
@@ -1765,13 +1766,32 @@ Future<void> SSLManagerOpenSSL::ocspClientVerification(SSL* ssl, const ExecutorP
 
 using StoreCtxVerifiedChain = std::unique_ptr<STACK_OF(X509), X509StackDeleter>;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+/** getCertificateForContext provides access to the X509* used by the provided SSL_CTX*.
+ * OpenSSL 1.0.2 provides SSL_CTX_get0_certificate, which provides direct access to the pointer.
+ * OpenSSL 1.0.1 only exposes the pointer on a per-connection basis via SSL_get_certificate.
+ * We must provide different implementations depending on the symbols available at compile-time.
+ * On 1.0.1, we must ensure that the lifetime of SSL object is longer than the X509 pointer we're
+ * inspecting.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+std::tuple<UniqueSSL, X509*> getCertificateForContext(SSL_CTX* context) {
+    UniqueSSL ssl(SSL_new(context));
+    X509* ret = SSL_get_certificate(ssl.get());
+    return std::make_tuple(std::move(ssl), ret);
+}
+#else
+std::tuple<X509*> getCertificateForContext(SSL_CTX* context) {
+    return std::make_tuple(SSL_CTX_get0_certificate(context));
+}
+#endif
+
 Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
     if (MONGO_unlikely(disableStapling.shouldFail()) || !tlsOCSPEnabled) {
         return Status::OK();
     }
 
-    X509* cert = SSL_CTX_get0_certificate(context);
+    auto certificateHolder = getCertificateForContext(context);
+    X509* cert = std::get<X509*>(certificateHolder);
     if (!cert) {
         return getSSLFailure(
             "Could not staple because could not get certificate from SSL Context.");
@@ -1906,11 +1926,6 @@ Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
 
     return Status::OK();
 }
-#else
-Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
-    return Status::OK();
-}
-#endif
 
 Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
                                          const SSLParams& params,