diff options
| author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-03 23:17:42 -0400 |
|---|---|---|
| committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-10 13:22:48 -0400 |
| commit | 670963110d9d226824842d22540a79154fce59a1 (patch) | |
| tree | 40c598749bec046d5a39d38e0ded2dd56e03fa74 /jstests/ssl/ssl_count_protocols.js | |
| parent | 7997dbf403430b757ff485ffa8a3aa4d56cb16a7 (diff) | |
| download | mongo-670963110d9d226824842d22540a79154fce59a1.tar.gz | |
SERVER-37135: Track and report TLS 1.3
Diffstat (limited to 'jstests/ssl/ssl_count_protocols.js')
| -rw-r--r-- | jstests/ssl/ssl_count_protocols.js | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js index ae21894eee0..a9e3202c30f 100644 --- a/jstests/ssl/ssl_count_protocols.js +++ b/jstests/ssl/ssl_count_protocols.js @@ -2,23 +2,35 @@ (function() { 'use strict'; + load("jstests/ssl/libs/ssl_helpers.js"); + var SERVER_CERT = "jstests/libs/server.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; var CA_CERT = "jstests/libs/ca.pem"; + const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"]; + + // First, figure out what protocol our local TLS stack wants to speak. + // We're going to observe a connection of this type from the testrunner. + const expectedDefaultProtocol = detectDefaultTLSProtocol(); + print("Expected default protocol: " + expectedDefaultProtocol); + function runTestWithoutSubset(client) { - let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"]; - let expectedCounts = [0, 0, 1]; + print("Running test: " + client); + let disabledProtocols = protocols.slice(); + let expectedCounts = [0, 0, 0, 0, 0]; + expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1; var index = disabledProtocols.indexOf(client); disabledProtocols.splice(index, 1); expectedCounts[index] += 1; + print(tojson(expectedCounts)); const conn = MongoRunner.runMongod({ sslMode: 'allowSSL', sslPEMKeyFile: SERVER_CERT, sslDisabledProtocols: 'none', useLogFiles: true, - tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2", + tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3", }); print(disabledProtocols); @@ -43,8 +55,21 @@ 'a[one] = NumberLong(' + expectedCounts[0] + ');' + 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' + 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' + + 'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' + + 'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' + 'assert.eq(db.serverStatus().transportSecurity, a);'); + if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") { + // If the runtime environment does not support TLS 1.3, a client cannot connect to a + // server if TLS 1.3 is its only usable protocol version. + assert.neq( + 0, + exitStatus, + "A client which does not support TLS 1.3 should not be able to connect with it"); + MongoRunner.stopMongod(conn); + return; + } + assert.eq(0, exitStatus, ""); print(`Checking ${conn.fullOptions.logFile} for TLS version message`); @@ -73,5 +98,6 @@ runTestWithoutSubset("TLS1_0"); runTestWithoutSubset("TLS1_1"); runTestWithoutSubset("TLS1_2"); + runTestWithoutSubset("TLS1_3"); })(); |