diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-02-15 15:30:46 -0500 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-05-01 15:12:16 -0400 |
commit | 51af489a86f1862de87b51f26a9e818ec3b5df04 (patch) | |
tree | e894c8a4273268ace784e701b395e6bb01cdbd1e /jstests/ssl | |
parent | 11c54929c6106e7b347c879a6570f217c04bb338 (diff) | |
download | mongo-51af489a86f1862de87b51f26a9e818ec3b5df04.tar.gz |
SERVER-33329: Make server and shell emit TLS protocol_version alerts
Diffstat (limited to 'jstests/ssl')
-rw-r--r-- | jstests/ssl/ssl_alert_reporting.js | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/jstests/ssl/ssl_alert_reporting.js b/jstests/ssl/ssl_alert_reporting.js new file mode 100644 index 00000000000..da8b630bf0c --- /dev/null +++ b/jstests/ssl/ssl_alert_reporting.js @@ -0,0 +1,59 @@ +// Ensure that TLS version alerts are correctly propagated + +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + 'use strict'; + + const clientOptions = [ + "--ssl", + "--sslPEMKeyFile", + "jstests/libs/client.pem", + "--sslCAFile", + "jstests/libs/ca.pem", + "--eval", + ";" + ]; + + function runTest(serverDisabledProtos, clientDisabledProtos) { + const implementation = determineSSLProvider(); + let expectedRegex; + if (implementation === "openssl") { + expectedRegex = + /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: tlsv1 alert protocol version/; + } else if (implementation === "windows") { + expectedRegex = + /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: The function requested is not supported/; + } else if (implementation === "apple") { + expectedRegex = + /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: Secure.Transport: bad protocol version/; + } else { + throw Error("Unrecognized TLS implementation!"); + } + + var md = MongoRunner.runMongod({ + nopreallocj: "", + sslMode: "requireSSL", + sslCAFile: "jstests/libs/ca.pem", + sslPEMKeyFile: "jstests/libs/server.pem", + sslDisabledProtocols: serverDisabledProtos, + }); + + clearRawMongoProgramOutput(); + let shell = runMongoProgram("mongo", + "--port", + md.port, + ...clientOptions, + "--sslDisabledProtocols", + clientDisabledProtos); + let mongoOutput = rawMongoProgramOutput(); + assert(mongoOutput.match(expectedRegex), + "Mongo shell output was as follows:\n" + mongoOutput + "\n************"); + + MongoRunner.stopMongod(md); + } + + // Client recieves and reports a protocol version alert if it advertises a protocol older than + // the server's oldest supported protocol + runTest("TLS1_0", "TLS1_1,TLS1_2"); +}()); |