diff options
author | John Chen <john.chen@mongodb.com> | 2019-12-03 15:40:06 +0000 |
---|---|---|
committer | evergreen <evergreen@mongodb.com> | 2019-12-03 15:40:06 +0000 |
commit | 5cd7e9a0ca88583ad94243d00032486c0ee9052c (patch) | |
tree | d115374070b1d8be35eedb8bfd248b31563b77ab /jstests | |
parent | 57c71a5642d8fc5f73b47999dde687db8efd4d5e (diff) | |
download | mongo-5cd7e9a0ca88583ad94243d00032486c0ee9052c.tar.gz |
SERVER-37135: Track and report TLS 1.3
(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7)
(cherry picked from commit 8c1de7e08de30a38f3d878118248735e6e2ea72a)
Diffstat (limited to 'jstests')
-rw-r--r-- | jstests/ssl/libs/ssl_helpers.js | 27 | ||||
-rw-r--r-- | jstests/ssl/ssl_count_protocols.js | 39 |
2 files changed, 58 insertions, 8 deletions
diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js index 50463d8dec9..16657a15b64 100644 --- a/jstests/ssl/libs/ssl_helpers.js +++ b/jstests/ssl/libs/ssl_helpers.js @@ -156,3 +156,30 @@ function mixedShardTest(options1, options2, shouldSucceed) { } } } + +function detectDefaultTLSProtocol() { + const conn = MongoRunner.runMongod({ + sslMode: 'allowSSL', + sslPEMKeyFile: SERVER_CERT, + sslDisabledProtocols: 'none', + useLogFiles: true, + tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3", + }); + + const res = conn.getDB("admin").serverStatus().transportSecurity; + + MongoRunner.stopMongod(conn); + + // Verify that the default protocol is either TLS1.2 or TLS1.3. + // No supported platform should default to an older protocol version. + assert.eq(0, res["1.0"]); + assert.eq(0, res["1.1"]); + assert.eq(0, res["unknown"]); + assert.neq(res["1.2"], res["1.3"]); + + if (res["1.2"].tojson() != NumberLong(0).tojson()) { + return "TLS1_2"; + } else { + return "TLS1_3"; + } +} diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js index 6ecc01bb1b6..dcde1b4b69d 100644 --- a/jstests/ssl/ssl_count_protocols.js +++ b/jstests/ssl/ssl_count_protocols.js @@ -2,28 +2,35 @@ (function() { 'use strict'; + load("jstests/ssl/libs/ssl_helpers.js"); + var SERVER_CERT = "jstests/libs/server.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; var CA_CERT = "jstests/libs/ca.pem"; + const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"]; + + // First, figure out what protocol our local TLS stack wants to speak. + // We're going to observe a connection of this type from the testrunner. + const expectedDefaultProtocol = detectDefaultTLSProtocol(); + print("Expected default protocol: " + expectedDefaultProtocol); + function runTestWithoutSubset(client) { - let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"]; - let expectedCounts = [0, 0, 0]; - let clientIndex = 2; - if (getBuildInfo().buildEnvironment.target_os === "osx") { - clientIndex = 0; - } - expectedCounts[clientIndex] = 1; + print("Running test: " + client); + let disabledProtocols = protocols.slice(); + let expectedCounts = [0, 0, 0, 0, 0]; + expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1; var index = disabledProtocols.indexOf(client); disabledProtocols.splice(index, 1); expectedCounts[index] += 1; + print(tojson(expectedCounts)); const conn = MongoRunner.runMongod({ sslMode: 'allowSSL', sslPEMKeyFile: SERVER_CERT, sslDisabledProtocols: 'none', useLogFiles: true, - tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2", + tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3", }); print(disabledProtocols); @@ -48,8 +55,21 @@ 'a[one] = NumberLong(' + expectedCounts[0] + ');' + 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' + 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' + + 'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' + + 'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' + 'assert.eq(db.serverStatus().transportSecurity, a);'); + if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") { + // If the runtime environment does not support TLS 1.3, a client cannot connect to a + // server if TLS 1.3 is its only usable protocol version. + assert.neq( + 0, + exitStatus, + "A client which does not support TLS 1.3 should not be able to connect with it"); + MongoRunner.stopMongod(conn); + return; + } + assert.eq(0, exitStatus, ""); print(`Checking ${conn.fullOptions.logFile} for TLS version message`); @@ -76,6 +96,9 @@ } runTestWithoutSubset("TLS1_0"); + runTestWithoutSubset("TLS1_1"); + runTestWithoutSubset("TLS1_2"); + runTestWithoutSubset("TLS1_3"); // OpenSSL 0.9.8 on macOS only supports TLS 1.0 if (getBuildInfo().buildEnvironment.target_os !== "osx") { |