SERVER-48774 setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled)

1 files changed, 58 insertions, 0 deletions

diff --git a/jstests/ssl/openssl_ciphersuites.js b/jstests/ssl/openssl_ciphersuites.js
new file mode 100644
index 00000000000..770a8fb8c54
--- /dev/null
+++ b/jstests/ssl/openssl_ciphersuites.js
@@ -0,0 +1,58 @@
+// Test setParameter sslCipherSuitesConfig for TLS 1.3
+// sslCipherSuitesConfig allows the user to set the list of cipher suites for just TLS 1.3
+
+(function() {
+"use strict";
+load("jstests/ssl/libs/ssl_helpers.js");
+
+// Short circuits for system configurations that do not support this setParameter, (i.e. OpenSSL
+// that don't support TLS 1.3)
+if (determineSSLProvider() !== "openssl") {
+    jsTestLog("SSL provider is not OpenSSL; skipping test.");
+    return;
+} else if (detectDefaultTLSProtocol() !== "TLS1_3") {
+    jsTestLog("Platform does not support TLS 1.3; skipping test.");
+    return;
+}
+
+const baseParams = {
+    tlsMode: "requireTLS",
+    tlsCertificateKeyFile: "jstests/libs/server.pem",
+    tlsCAFile: "jstests/ssl/x509/root-and-trusted-ca.pem",
+    waitForConnect: false,
+};
+
+function testConn() {
+    const mongo = runMongoProgram('mongo',
+                                  '--host',
+                                  'localhost',
+                                  '--port',
+                                  mongod.port,
+                                  '--tls',
+                                  '--tlsCAFile',
+                                  'jstests/libs/ca.pem',
+                                  '--tlsCertificateKeyFile',
+                                  'jstests/libs/trusted-client.pem',
+                                  '--eval',
+                                  ';');
+    return mongo === 0;
+}
+
+// test a successful connection when setting cipher suites
+jsTestLog("Testing for successful connection with valid cipher suite config");
+let mongod = MongoRunner.runMongod(
+    Object.merge(baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_256_GCM_SHA384"}}));
+assert.soon(testConn, "Client could not connect to server with valid ciphersuite config.");
+MongoRunner.stopMongod(mongod);
+
+// test an unsuccessful connection when mandating a cipher suite which OpenSSL disables by default
+jsTestLog(
+    "Testing for unsuccessful connection with cipher suite config which OpenSSL disables by default.");
+mongod = MongoRunner.runMongod(Object.merge(
+    baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_128_CCM_8_SHA256"}}));
+sleep(30000);
+
+assert.eq(
+    false, testConn(), "Client successfully connected to server with invalid ciphersuite config.");
+MongoRunner.stopMongod(mongod);
+})();
\ No newline at end of file