diff options
| author | Adrian Gonzalez <adriangonzalezmontemayor@gmail.com> | 2023-05-12 18:45:31 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-05-12 21:05:30 +0000 |
| commit | eb05490c36d7d21ccb142984b6d83c6f30146ae6 (patch) | |
| tree | 8e3387491cc0445e77acd13187f1e607a3752620 | |
| parent | 44d9b193ab7a2e86b7f63a276f0215d24c3c35d6 (diff) | |
| download | mongo-eb05490c36d7d21ccb142984b6d83c6f30146ae6.tar.gz | |
SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
| -rw-r--r-- | jstests/ssl/ssl_client_bad_certificate_warning.js | 61 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/jstests/ssl/ssl_client_bad_certificate_warning.js b/jstests/ssl/ssl_client_bad_certificate_warning.js new file mode 100644 index 00000000000..1e63c5a7489 --- /dev/null +++ b/jstests/ssl/ssl_client_bad_certificate_warning.js @@ -0,0 +1,61 @@ +// Test mongo shell output logs correct messages when not including certificates or using bad +// certificates. +(function() { +'use strict'; + +const SERVER_CERT = "jstests/libs/server.pem"; +const CA_CERT = "jstests/libs/ca.pem"; + +const BAD_CLIENT_CERT = 'jstests/libs/trusted-client.pem'; + +function testConnect(outputLog, ...args) { + const command = ['mongo', '--host', 'localhost', '--port', mongod.port, '--tls', ...args]; + + clearRawMongoProgramOutput(); + const clientPID = _startMongoProgram({args: command}); + + assert.soon(function() { + const output = rawMongoProgramOutput(); + if (output.includes(outputLog)) { + stopMongoProgramByPid(clientPID); + return true; + } + return false; + }); +} + +function runTests() { + // --tlsCertificateKeyFile not specifed when mongod was started with --tlsCAFile or + // --tlsClusterCAFile. + testConnect('No SSL certificate provided by peer', '--tlsCAFile', CA_CERT); + + // Certificate not signed by CA_CERT used. + testConnect('SSL peer certificate validation failed', + '--tlsCAFile', + CA_CERT, + '--tlsCertificateKeyFile', + BAD_CLIENT_CERT); +} + +// Use tlsClusterCAFile +let mongod = MongoRunner.runMongod({ + tlsMode: "requireTLS", + tlsCertificateKeyFile: SERVER_CERT, + tlsClusterCAFile: CA_CERT, +}); + +runTests(); + +MongoRunner.stopMongod(mongod); + +// Use tlsCAFile +mongod = MongoRunner.runMongod({ + tlsMode: "requireTLS", + tlsCertificateKeyFile: SERVER_CERT, + tlsCAFile: CA_CERT, +}); + +runTests(); + +MongoRunner.stopMongod(mongod); +})(); diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 3f168cf09f1..09d06724a1d 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1305,6 +1305,7 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _serverEngine.CAstore = std::move(swChain.getValue()); + _sslConfiguration.hasCA = true; } _serverEngine.hasCRL = !params.sslCRLFile.empty(); |