diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-03-30 16:52:20 -0700 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-04-03 16:43:35 +0000 |
commit | 65d93bcbc3acf6782fce539c3629d2112ec1df1f (patch) | |
tree | 02428fdd1845e24fe47206512108b68d0f2edc55 /jstests/ocsp | |
parent | 129b8993b6575231509980f29587d3214d56e8e1 (diff) | |
download | mongo-65d93bcbc3acf6782fce539c3629d2112ec1df1f.tar.gz |
SERVER-47051 Investigate OCSP failures on 4.3.4 and on 4.5.0
Diffstat (limited to 'jstests/ocsp')
-rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 15 | ||||
-rw-r--r-- | jstests/ocsp/lib/ocsp_helpers.js | 6 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_basic.js | 2 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_basic_ca_responder.js | 52 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_connection_type_testing.js | 2 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_must_staple.js | 2 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_server_refresh.js | 2 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_stapling.js | 129 |
8 files changed, 138 insertions, 72 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js index 1cff413b531..1d8691bd26e 100644 --- a/jstests/ocsp/lib/mock_ocsp.js +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -17,8 +17,9 @@ class MockOCSPServer { * * @param {string} fault_type * @param {number} next_update_secs + * @param {boolean} responder_is_ca */ - constructor(fault_type, next_update_secs) { + constructor(fault_type, next_update_secs, responder_is_ca = false) { this.python = "python3"; this.fault_type = fault_type; @@ -26,10 +27,16 @@ class MockOCSPServer { this.python = "python.exe"; } + if (responder_is_ca) { + this.ocsp_cert_file = OCSP_CA_CERT; + this.ocsp_cert_key = OCSP_CA_KEY; + } else { + this.ocsp_cert_file = OCSP_RESPONDER_CERT; + this.ocsp_cert_key = OCSP_RESPONDER_KEY; + } + print("Using python interpreter: " + this.python); - this.ca_file = OCSP_CA_CERT; - this.ocsp_cert_file = OCSP_RESPONDER_CERT; - this.ocsp_cert_key = OCSP_RESPONDER_KEY; + this.ca_file = OCSP_CA_PEM; // The port must be hard coded to match the port of the // responder in the certificates. this.port = 8100; diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js index b5aa320518f..9855c9405ad 100644 --- a/jstests/ocsp/lib/ocsp_helpers.js +++ b/jstests/ocsp/lib/ocsp_helpers.js @@ -4,7 +4,9 @@ load("jstests/ssl/libs/ssl_helpers.js"); -const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.pem"; +const OCSP_CA_PEM = "jstests/libs/ocsp/ca_ocsp.pem"; +const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.crt"; +const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key"; const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem"; const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem"; const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem"; @@ -37,7 +39,7 @@ var waitForServer = function(conn) { host, '--tls', '--tlsCAFile', - OCSP_CA_CERT, + OCSP_CA_PEM, '--tlsCertificateKeyFile', OCSP_CLIENT_CERT, '--tlsAllowInvalidCertificates', diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js index eb784793681..c8a635dace9 100644 --- a/jstests/ocsp/ocsp_basic.js +++ b/jstests/ocsp/ocsp_basic.js @@ -9,7 +9,7 @@ load("jstests/ocsp/lib/mock_ocsp.js"); var ocsp_options = { sslMode: "requireSSL", sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_CERT, + sslCAFile: OCSP_CA_PEM, sslAllowInvalidHostnames: "", setParameter: { "failpoint.disableStapling": "{'mode':'alwaysOn'}", diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js new file mode 100644 index 00000000000..0a13d0acad7 --- /dev/null +++ b/jstests/ocsp/ocsp_basic_ca_responder.js @@ -0,0 +1,52 @@ +// Check that OCSP verification works +// @tags: [requires_http_client] + +load("jstests/ocsp/lib/mock_ocsp.js"); + +(function() { +"use strict"; + +if (determineSSLProvider() === "apple") { + return; +} + +clearOCSPCache(); + +const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_CERT, + sslCAFile: OCSP_CA_PEM, + sslAllowInvalidHostnames: "", + setParameter: { + "failpoint.disableStapling": "{'mode':'alwaysOn'}", + "ocspEnabled": "true", + }, +}; + +// This is to test what happens when the responder is down, +// making sure that we soft fail. +let conn = null; + +let mock_ocsp = new MockOCSPServer("", 1, true); +mock_ocsp.start(); + +assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); +}); + +mock_ocsp.stop(); +mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true); +mock_ocsp.start(); + +assert.throws(() => { + new Mongo(conn.host); +}); + +MongoRunner.stopMongod(conn); + +// The mongoRunner spawns a new Mongo Object to validate the collections which races +// with the shutdown logic of the mock_ocsp responder on some platforms. We need this +// sleep to make sure that the threads don't interfere with each other. +sleep(1000); +mock_ocsp.stop(); +}());
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js index b4f7ccae42b..062b25094c8 100644 --- a/jstests/ocsp/ocsp_connection_type_testing.js +++ b/jstests/ocsp/ocsp_connection_type_testing.js @@ -24,7 +24,7 @@ MongoRunner.runHangAnalyzer.disable(); const ocsp_options = { sslMode: "requireSSL", sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_CERT, + sslCAFile: OCSP_CA_PEM, sslAllowInvalidHostnames: "", setParameter: { "ocspEnabled": "true", diff --git a/jstests/ocsp/ocsp_must_staple.js b/jstests/ocsp/ocsp_must_staple.js index 229572ec2d1..1cef7d23e3e 100644 --- a/jstests/ocsp/ocsp_must_staple.js +++ b/jstests/ocsp/ocsp_must_staple.js @@ -20,7 +20,7 @@ mock_ocsp.start(); let ocsp_options = { sslMode: "requireSSL", sslPEMKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT, - sslCAFile: OCSP_CA_CERT, + sslCAFile: OCSP_CA_PEM, sslAllowInvalidHostnames: "", setParameter: { "ocspEnabled": "true", diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js index b3fa01c959a..699f6e397f2 100644 --- a/jstests/ocsp/ocsp_server_refresh.js +++ b/jstests/ocsp/ocsp_server_refresh.js @@ -20,7 +20,7 @@ mock_ocsp.start(); const ocsp_options = { sslMode: "requireSSL", sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_CERT, + sslCAFile: OCSP_CA_PEM, sslAllowInvalidHostnames: "", setParameter: { "ocspEnabled": "true", diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js index 707c90f05f0..02671770fb6 100644 --- a/jstests/ocsp/ocsp_stapling.js +++ b/jstests/ocsp/ocsp_stapling.js @@ -6,7 +6,7 @@ load("jstests/ocsp/lib/mock_ocsp.js"); (function() { "use strict"; -if (determineSSLProvider() != "openssl") { +if (determineSSLProvider() !== "openssl") { return; } @@ -14,73 +14,78 @@ if (!supportsStapling()) { return; } -const ocsp_options = { - sslMode: "requireSSL", - sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_CERT, - sslAllowInvalidHostnames: "", - setParameter: { - "ocspEnabled": "true", - }, -}; - -// This is to test what happens when the responder is down, -// making sure that we soft fail. -let conn = null; - -assert.doesNotThrow(() => { - conn = MongoRunner.runMongod(ocsp_options); -}); - -MongoRunner.stopMongod(conn); - -let mock_ocsp = new MockOCSPServer("", 1000); -mock_ocsp.start(); - -// In this scenario, the Mongod has the ocsp response stapled -// which should allow the connection to proceed. Even when the -// responder says that the certificate is revoked, the mongod -// should still have the old response stashed and doesn't have -// to refresh the response, so the shell should connect. -assert.doesNotThrow(() => { +var test = function(responderCA) { + const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_CERT, + sslCAFile: OCSP_CA_PEM, + sslAllowInvalidHostnames: "", + setParameter: { + "ocspEnabled": "true", + }, + }; + + // This is to test what happens when the responder is down, + // making sure that we soft fail. + let conn = null; + + assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); + }); + + MongoRunner.stopMongod(conn); + + let mock_ocsp = new MockOCSPServer("", 1000, responderCA); + mock_ocsp.start(); + + // In this scenario, the Mongod has the ocsp response stapled + // which should allow the connection to proceed. Even when the + // responder says that the certificate is revoked, the mongod + // should still have the old response stashed and doesn't have + // to refresh the response, so the shell should connect. + assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); + }); + mock_ocsp.stop(); + + mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCA); + mock_ocsp.start(); + assert.doesNotThrow(() => { + new Mongo(conn.host); + }); + + MongoRunner.stopMongod(conn); + + // This is the same scenario as above, except that the mongod has + // the status saying that the certificate is revoked. If we have a shell + // waiting to connect, it will fail because the certificate status of + // the mongod's cert is revoked. + Object.extend(ocsp_options, {waitForConnect: false}); conn = MongoRunner.runMongod(ocsp_options); -}); -mock_ocsp.stop(); - -mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000); -mock_ocsp.start(); -assert.doesNotThrow(() => { - new Mongo(conn.host); -}); -MongoRunner.stopMongod(conn); + waitForServer(conn); -// This is the same scenario as above, except that the mongod has -// the status saying that the certificate is revoked. If we have a shell -// waiting to connect, it will fail because the certificate status of -// the mongod's cert is revoked. -Object.extend(ocsp_options, {waitForConnect: false}); -conn = MongoRunner.runMongod(ocsp_options); + assert.throws(() => { + new Mongo(conn.host); + }); + mock_ocsp.stop(); -waitForServer(conn); + mock_ocsp = new MockOCSPServer("", 1000, responderCA); + mock_ocsp.start(); -assert.throws(() => { - new Mongo(conn.host); -}); -mock_ocsp.stop(); + assert.throws(() => { + new Mongo(conn.host); + }); -mock_ocsp = new MockOCSPServer("", 1000); -mock_ocsp.start(); + MongoRunner.stopMongod(conn); -assert.throws(() => { - new Mongo(conn.host); -}); - -MongoRunner.stopMongod(conn); + // The mongoRunner spawns a new Mongo Object to validate the collections which races + // with the shutdown logic of the mock_ocsp responder on some platforms. We need this + // sleep to make sure that the threads don't interfere with each other. + sleep(1000); + mock_ocsp.stop(); +}; -// The mongoRunner spawns a new Mongo Object to validate the collections which races -// with the shutdown logic of the mock_ocsp responder on some platforms. We need this -// sleep to make sure that the threads don't interfere with each other. -sleep(1000); -mock_ocsp.stop(); +test(false); +test(true); }());
\ No newline at end of file |