SERVER-36616 Enable ECDHE support if platform supports it

author: Patrick Freed <patrick.freed@mongodb.com> 2018-10-30 11:21:58 -0400
committer: Patrick Freed <patrick.freed@mongodb.com> 2018-10-30 11:21:58 -0400
commit: b9f13ea4f0f8e5a3e69ed99c954d94629e7e2d4a (patch)
tree: 8e7e9320a098070afc8828ee2f3a247b63808885 /jstests/ssl
parent: 4d8c956efe27360e8b6828ee62fd3df3ad8f5710 (diff)
download: mongo-b9f13ea4f0f8e5a3e69ed99c954d94629e7e2d4a.tar.gz
1 files changed, 22 insertions, 18 deletions
diff --git a/jstests/ssl/ssl_ECDHE_suites.js b/jstests/ssl/ssl_ECDHE_suites.js
index d3f65a867bf..cf012abfb30 100644
--- a/jstests/ssl/ssl_ECDHE_suites.js
+++ b/jstests/ssl/ssl_ECDHE_suites.js
@@ -1,4 +1,4 @@
-// Test that a client can authenicate against the server with roles.
+// Test that a client can authenticate against the server with roles.
 // Also validates RFC2253
 load('jstests/ssl/libs/ssl_helpers.js');
 
@@ -46,10 +46,9 @@ load('jstests/ssl/libs/ssl_helpers.js');
 
         try {
             let ciphers = cat("jstests/ssl/ciphers.json");
-            let cipherDict = JSON.parse(ciphers);
-            return cipherDict;
+            return JSON.parse(ciphers);
         } catch (e) {
-            jsTestLog("Failed to parse: " + ciphers + "\n" + ciphers);
+            jsTestLog("Failed to parse ciphers.json");
             throw e;
         } finally {
             const python_delete_command = python + sslyze + "--delete";
@@ -64,34 +63,39 @@ load('jstests/ssl/libs/ssl_helpers.js');
 
     function testSSLYzeOutput(cipherDict) {
         // Checking that SSL 1.0, 2.0, 3.0 and TLS 1.0 are not accepted
-        for (var i = 0; i < 3; i++) {
-            assert.eq(cipherDict[suites[i]].length, 0);
-        }
+        suites.slice(0, 3).forEach(tlsVersion => assert(cipherDict[tlsVersion].length === 0));
 
         // Printing TLS 1.1, 1.2, and 1.3 suites that are accepted
-        for (var i = 3; i < 6; i++) {
-            const TLSVersion = cipherDict[suites[i]].toString().split(",");
-            print('*************************\n' + suites[i] + ": ");
-            for (var j = 0; j < TLSVersion.length; j++) {
-                print(TLSVersion[j]);
-            }
+        let hasECDHE = false;
+        suites.slice(3, 6).forEach(tlsVersion => {
+            print('*************************\n' + tlsVersion + ": ");
+            cipherDict[tlsVersion].forEach(cipher => {
+                print(cipher);
+                if (cipher.includes('ECDHE'))
+                    hasECDHE = true;
+            });
+        });
+
+        // All platforms except Amazon Linux 1 should support ECDHE
+        if (buildInfo().buildEnvironment.distmod !== 'amazon') {
+            assert(hasECDHE, 'Supports at least one ECDHE cipher suite');
         }
     }
 
     print("1. Testing x.509 auth to mongod");
     {
         const x509_options = {
-            sslMode: "requireSSL",
-            sslCAFile: CA_CERT,
-            sslPEMKeyFile: SERVER_CERT,
+            tlsMode: "preferTLS",
+            tlsCAFile: CA_CERT,
+            tlsPEMKeyFile: SERVER_CERT,
             ipv6: "",
             bind_ip_all: ""
         };
         let mongod = MongoRunner.runMongod(x509_options);
-        var cipherDict = runSSLYze(mongod.port);
+        const cipherDict = runSSLYze(mongod.port);
         if (cipherDict !== null) {
             testSSLYzeOutput(cipherDict);
         }
         MongoRunner.stopMongod(mongod);
     }
-}());
-\ No newline at end of file
+}());
author	Patrick Freed <patrick.freed@mongodb.com>	2018-10-30 11:21:58 -0400
committer	Patrick Freed <patrick.freed@mongodb.com>	2018-10-30 11:21:58 -0400
commit	b9f13ea4f0f8e5a3e69ed99c954d94629e7e2d4a (patch)
tree	8e7e9320a098070afc8828ee2f3a247b63808885 /jstests/ssl
parent	4d8c956efe27360e8b6828ee62fd3df3ad8f5710 (diff)
download	mongo-b9f13ea4f0f8e5a3e69ed99c954d94629e7e2d4a.tar.gz