diff options
author | Adam Cooper <adam.cooper@mongodb.com> | 2020-07-02 16:06:32 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-07-14 21:30:49 +0000 |
commit | c02d19aebdba13451d576f56885e3358dad90e48 (patch) | |
tree | 6fd3d3ca3c71455e608b9a280ad30df8e38bef84 /jstests | |
parent | d3430cddfc340f76ac71a58587a1a14c6c506b05 (diff) | |
download | mongo-c02d19aebdba13451d576f56885e3358dad90e48.tar.gz |
SERVER-48774 setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled)
Diffstat (limited to 'jstests')
-rw-r--r-- | jstests/ssl/openssl_ciphersuites.js | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/jstests/ssl/openssl_ciphersuites.js b/jstests/ssl/openssl_ciphersuites.js new file mode 100644 index 00000000000..770a8fb8c54 --- /dev/null +++ b/jstests/ssl/openssl_ciphersuites.js @@ -0,0 +1,58 @@ +// Test setParameter sslCipherSuitesConfig for TLS 1.3 +// sslCipherSuitesConfig allows the user to set the list of cipher suites for just TLS 1.3 + +(function() { +"use strict"; +load("jstests/ssl/libs/ssl_helpers.js"); + +// Short circuits for system configurations that do not support this setParameter, (i.e. OpenSSL +// that don't support TLS 1.3) +if (determineSSLProvider() !== "openssl") { + jsTestLog("SSL provider is not OpenSSL; skipping test."); + return; +} else if (detectDefaultTLSProtocol() !== "TLS1_3") { + jsTestLog("Platform does not support TLS 1.3; skipping test."); + return; +} + +const baseParams = { + tlsMode: "requireTLS", + tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCAFile: "jstests/ssl/x509/root-and-trusted-ca.pem", + waitForConnect: false, +}; + +function testConn() { + const mongo = runMongoProgram('mongo', + '--host', + 'localhost', + '--port', + mongod.port, + '--tls', + '--tlsCAFile', + 'jstests/libs/ca.pem', + '--tlsCertificateKeyFile', + 'jstests/libs/trusted-client.pem', + '--eval', + ';'); + return mongo === 0; +} + +// test a successful connection when setting cipher suites +jsTestLog("Testing for successful connection with valid cipher suite config"); +let mongod = MongoRunner.runMongod( + Object.merge(baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_256_GCM_SHA384"}})); +assert.soon(testConn, "Client could not connect to server with valid ciphersuite config."); +MongoRunner.stopMongod(mongod); + +// test an unsuccessful connection when mandating a cipher suite which OpenSSL disables by default +jsTestLog( + "Testing for unsuccessful connection with cipher suite config which OpenSSL disables by default."); +mongod = MongoRunner.runMongod(Object.merge( + baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_128_CCM_8_SHA256"}})); +sleep(30000); + +assert.eq( + false, testConn(), "Client successfully connected to server with invalid ciphersuite config."); +MongoRunner.stopMongod(mongod); +})();
\ No newline at end of file |