diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2018-04-03 15:02:54 -0400 |
|---|---|---|
| committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-04-05 22:05:29 -0400 |
| commit | 547224050351961fa5b06b297277ec1ff85c89e7 (patch) | |
| tree | d101cad6c5ac61a6d1e0a7bc8735d50b064879cc /jstests/ssl | |
| parent | 41084e8f0fa354a9efc28a354321200e94a2fcf6 (diff) | |
| download | mongo-547224050351961fa5b06b297277ec1ff85c89e7.tar.gz | |
SERVER-34237 Allow disabling TLS versions in the shell and disable TLS 1.0 by default
Diffstat (limited to 'jstests/ssl')
| -rw-r--r-- | jstests/ssl/tls1_0.js | 53 |
1 files changed, 36 insertions, 17 deletions
diff --git a/jstests/ssl/tls1_0.js b/jstests/ssl/tls1_0.js index e634244af15..0267485cb49 100644 --- a/jstests/ssl/tls1_0.js +++ b/jstests/ssl/tls1_0.js @@ -3,6 +3,10 @@ (function() { 'use strict'; + // There will be cases where a connect is impossible, + // let the test runner clean those up. + TestData.failIfUnterminatedProcesses = false; + const supportsTLS1_1 = (function() { const openssl = getBuildInfo().openssl || {}; if (openssl.compiled === undefined) { @@ -33,21 +37,25 @@ return (buildEnv.target_os === 'macOS'); })(); - function test(disabledProtocols, shouldSucceed) { - const expectLogMessage = !defaultEnableTLS1_0 && (disabledProtocols === null); + function test(serverDP, clientDP, shouldSucceed) { + const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null); let serverOpts = { sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/server.pem', sslCAFile: 'jstests/libs/ca.pem', waitForConnect: false }; - if (disabledProtocols !== null) { - serverOpts.sslDisabledProtocols = disabledProtocols; + if (serverDP !== null) { + serverOpts.sslDisabledProtocols = serverDP; } clearRawMongoProgramOutput(); const mongod = MongoRunner.runMongod(serverOpts); assert(mongod); + let clientOpts = []; + if (clientDP !== null) { + clientOpts = ['--sslDisabledProtocols', clientDP]; + } const didSucceed = (function() { try { assert.soon(function() { @@ -59,6 +67,7 @@ 'jstests/libs/client.pem', '--sslCAFile', 'jstests/libs/ca.pem', + ...clientOpts, '--eval', ';'); }, "Connecting to mongod", 30 * 1000); @@ -69,23 +78,33 @@ })(); // Exit code based success/failure. - assert.eq(didSucceed, - shouldSucceed, - "Running with disabledProtocols == " + tojson(disabledProtocols)); + assert.eq( + didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP)); assert.eq(expectLogMessage, rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0, "TLS 1.0 was/wasn't automatically disabled"); - - const exitCode = - (didSucceed || !_isWindows()) ? MongoRunner.EXIT_CLEAN : MongoRunner.EXIT_SIGKILL; - MongoRunner.stopMongod(mongod, undefined, {allowedExitCode: exitCode}); } - test(null, true); - test('none', true); - test('TLS1_0', supportsTLS1_1); - test('TLS1_1,TLS1_2', true); - test('TLS1_0,TLS1_1', supportsTLS1_1); - test('TLS1_0,TLS1_1,TLS1_2', false); + // Tests with default client behavior (TLS 1.0 disabled if 1.1 available). + test(null, null, true); + test('none', null, true); + test('TLS1_0', null, supportsTLS1_1); + test('TLS1_1,TLS1_2', null, !supportsTLS1_1); + test('TLS1_0,TLS1_1', null, supportsTLS1_1); + test('TLS1_0,TLS1_1,TLS1_2', null, false); + + // Tests with TLS 1.0 always enabled on client. + test(null, 'none', true); + test('none', 'none', true); + test('TLS1_0', 'none', supportsTLS1_1); + test('TLS1_1,TLS1_2', 'none', true); + test('TLS1_0,TLS1_1', 'none', supportsTLS1_1); + + // Tests with TLS 1.0 explicitly disabled on client. + test(null, 'TLS1_0', supportsTLS1_1); + test('none', 'TLS1_0', supportsTLS1_1); + test('TLS1_0', 'TLS1_0', supportsTLS1_1); + test('TLS1_1,TLS1_2', 'TLS1_0', false); + test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1); })(); |