SERVER-37135: Track and report TLS 1.3

3 files changed, 66 insertions, 6 deletions

diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js
index 6b5ed90d283..37dad3972ee 100644
--- a/jstests/ssl/libs/ssl_helpers.js
+++ b/jstests/ssl/libs/ssl_helpers.js
@@ -217,3 +217,30 @@ function requireSSLProvider(required, fn) {
     }
     fn();
 }
+
+function detectDefaultTLSProtocol() {
+    const conn = MongoRunner.runMongod({
+        sslMode: 'allowSSL',
+        sslPEMKeyFile: SERVER_CERT,
+        sslDisabledProtocols: 'none',
+        useLogFiles: true,
+        tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
+    });
+
+    const res = conn.getDB("admin").serverStatus().transportSecurity;
+
+    MongoRunner.stopMongod(conn);
+
+    // Verify that the default protocol is either TLS1.2 or TLS1.3.
+    // No supported platform should default to an older protocol version.
+    assert.eq(0, res["1.0"]);
+    assert.eq(0, res["1.1"]);
+    assert.eq(0, res["unknown"]);
+    assert.neq(res["1.2"], res["1.3"]);
+
+    if (res["1.2"].tojson() != NumberLong(0).tojson()) {
+        return "TLS1_2";
+    } else {
+        return "TLS1_3";
+    }
+}
diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js
index ae21894eee0..a9e3202c30f 100644
--- a/jstests/ssl/ssl_count_protocols.js
+++ b/jstests/ssl/ssl_count_protocols.js
@@ -2,23 +2,35 @@
 (function() {
     'use strict';
 
+    load("jstests/ssl/libs/ssl_helpers.js");
+
     var SERVER_CERT = "jstests/libs/server.pem";
     var CLIENT_CERT = "jstests/libs/client.pem";
     var CA_CERT = "jstests/libs/ca.pem";
 
+    const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];
+
+    // First, figure out what protocol our local TLS stack wants to speak.
+    // We're going to observe a connection of this type from the testrunner.
+    const expectedDefaultProtocol = detectDefaultTLSProtocol();
+    print("Expected default protocol: " + expectedDefaultProtocol);
+
     function runTestWithoutSubset(client) {
-        let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"];
-        let expectedCounts = [0, 0, 1];
+        print("Running test: " + client);
+        let disabledProtocols = protocols.slice();
+        let expectedCounts = [0, 0, 0, 0, 0];
+        expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
         var index = disabledProtocols.indexOf(client);
         disabledProtocols.splice(index, 1);
         expectedCounts[index] += 1;
+        print(tojson(expectedCounts));
 
         const conn = MongoRunner.runMongod({
             sslMode: 'allowSSL',
             sslPEMKeyFile: SERVER_CERT,
             sslDisabledProtocols: 'none',
             useLogFiles: true,
-            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2",
+            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
         });
 
         print(disabledProtocols);
@@ -43,8 +55,21 @@
                                 'a[one] = NumberLong(' + expectedCounts[0] + ');' +
                                 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' +
                                 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' +
+                                'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' +
+                                'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' +
                                 'assert.eq(db.serverStatus().transportSecurity, a);');
 
+        if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
+            // If the runtime environment does not support TLS 1.3, a client cannot connect to a
+            // server if TLS 1.3 is its only usable protocol version.
+            assert.neq(
+                0,
+                exitStatus,
+                "A client which does not support TLS 1.3 should not be able to connect with it");
+            MongoRunner.stopMongod(conn);
+            return;
+        }
+
         assert.eq(0, exitStatus, "");
 
         print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
@@ -73,5 +98,6 @@
     runTestWithoutSubset("TLS1_0");
     runTestWithoutSubset("TLS1_1");
     runTestWithoutSubset("TLS1_2");
+    runTestWithoutSubset("TLS1_3");
 
 })();
diff --git a/jstests/ssl/tls1_0.js b/jstests/ssl/tls1_0.js
index dc2b706ae80..5c751d73f0f 100644
--- a/jstests/ssl/tls1_0.js
+++ b/jstests/ssl/tls1_0.js
@@ -3,6 +3,8 @@
 (function() {
     'use strict';
 
+    load("jstests/ssl/libs/ssl_helpers.js");
+
     // There will be cases where a connect is impossible,
     // let the test runner clean those up.
     TestData.failIfUnterminatedProcesses = false;
@@ -31,6 +33,8 @@
         return !supportsTLS1_1;
     })();
 
+    const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2";
+
     function test(serverDP, clientDP, shouldSucceed) {
         const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null);
         let serverOpts = {
@@ -84,9 +88,11 @@
     test(null, null, true);
     test('none', null, true);
     test('TLS1_0', null, supportsTLS1_1);
-    test('TLS1_1,TLS1_2', null, !supportsTLS1_1);
+    test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3);
+    test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1);
     test('TLS1_0,TLS1_1', null, supportsTLS1_1);
-    test('TLS1_0,TLS1_1,TLS1_2', null, false);
+    test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3);
+    test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false);
 
     // Tests with TLS 1.0 always enabled on client.
     test(null, 'none', true);
@@ -99,6 +105,7 @@
     test(null, 'TLS1_0', supportsTLS1_1);
     test('none', 'TLS1_0', supportsTLS1_1);
     test('TLS1_0', 'TLS1_0', supportsTLS1_1);
-    test('TLS1_1,TLS1_2', 'TLS1_0', false);
+    test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3);
+    test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false);
     test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1);
 })();