SERVER-33329: Make server and shell emit TLS protocol_version alerts

author: Spencer Jackson <spencer.jackson@mongodb.com> 2018-02-15 15:30:46 -0500
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2018-05-01 15:12:16 -0400
commit: 51af489a86f1862de87b51f26a9e818ec3b5df04 (patch)
tree: e894c8a4273268ace784e701b395e6bb01cdbd1e /jstests/ssl
parent: 11c54929c6106e7b347c879a6570f217c04bb338 (diff)
download: mongo-51af489a86f1862de87b51f26a9e818ec3b5df04.tar.gz
1 files changed, 59 insertions, 0 deletions
diff --git a/jstests/ssl/ssl_alert_reporting.js b/jstests/ssl/ssl_alert_reporting.js
new file mode 100644
index 00000000000..da8b630bf0c
--- /dev/null
+++ b/jstests/ssl/ssl_alert_reporting.js
@@ -0,0 +1,59 @@
+// Ensure that TLS version alerts are correctly propagated
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+    'use strict';
+
+    const clientOptions = [
+        "--ssl",
+        "--sslPEMKeyFile",
+        "jstests/libs/client.pem",
+        "--sslCAFile",
+        "jstests/libs/ca.pem",
+        "--eval",
+        ";"
+    ];
+
+    function runTest(serverDisabledProtos, clientDisabledProtos) {
+        const implementation = determineSSLProvider();
+        let expectedRegex;
+        if (implementation === "openssl") {
+            expectedRegex =
+                /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: tlsv1 alert protocol version/;
+        } else if (implementation === "windows") {
+            expectedRegex =
+                /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: The function requested is not supported/;
+        } else if (implementation === "apple") {
+            expectedRegex =
+                /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: Secure.Transport: bad protocol version/;
+        } else {
+            throw Error("Unrecognized TLS implementation!");
+        }
+
+        var md = MongoRunner.runMongod({
+            nopreallocj: "",
+            sslMode: "requireSSL",
+            sslCAFile: "jstests/libs/ca.pem",
+            sslPEMKeyFile: "jstests/libs/server.pem",
+            sslDisabledProtocols: serverDisabledProtos,
+        });
+
+        clearRawMongoProgramOutput();
+        let shell = runMongoProgram("mongo",
+                                    "--port",
+                                    md.port,
+                                    ...clientOptions,
+                                    "--sslDisabledProtocols",
+                                    clientDisabledProtos);
+        let mongoOutput = rawMongoProgramOutput();
+        assert(mongoOutput.match(expectedRegex),
+               "Mongo shell output was as follows:\n" + mongoOutput + "\n************");
+
+        MongoRunner.stopMongod(md);
+    }
+
+    // Client recieves and reports a protocol version alert if it advertises a protocol older than
+    // the server's oldest supported protocol
+    runTest("TLS1_0", "TLS1_1,TLS1_2");
+}());
author	Spencer Jackson <spencer.jackson@mongodb.com>	2018-02-15 15:30:46 -0500
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2018-05-01 15:12:16 -0400
commit	51af489a86f1862de87b51f26a9e818ec3b5df04 (patch)
tree	e894c8a4273268ace784e701b395e6bb01cdbd1e /jstests/ssl
parent	11c54929c6106e7b347c879a6570f217c04bb338 (diff)
download	mongo-51af489a86f1862de87b51f26a9e818ec3b5df04.tar.gz