SERVER-37135: Track and report TLS 1.3

(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7) (cherry picked from commit 8c1de7e08de30a38f3d878118248735e6e2ea72a)
author: John Chen <john.chen@mongodb.com> 2019-12-03 15:40:06 +0000
committer: evergreen <evergreen@mongodb.com> 2019-12-03 15:40:06 +0000
commit: 5cd7e9a0ca88583ad94243d00032486c0ee9052c (patch)
tree: d115374070b1d8be35eedb8bfd248b31563b77ab /jstests
parent: 57c71a5642d8fc5f73b47999dde687db8efd4d5e (diff)
download: mongo-5cd7e9a0ca88583ad94243d00032486c0ee9052c.tar.gz
2 files changed, 58 insertions, 8 deletions
diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js
index 50463d8dec9..16657a15b64 100644
--- a/jstests/ssl/libs/ssl_helpers.js
+++ b/jstests/ssl/libs/ssl_helpers.js
@@ -156,3 +156,30 @@ function mixedShardTest(options1, options2, shouldSucceed) {
         }
     }
 }
+
+function detectDefaultTLSProtocol() {
+    const conn = MongoRunner.runMongod({
+        sslMode: 'allowSSL',
+        sslPEMKeyFile: SERVER_CERT,
+        sslDisabledProtocols: 'none',
+        useLogFiles: true,
+        tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
+    });
+
+    const res = conn.getDB("admin").serverStatus().transportSecurity;
+
+    MongoRunner.stopMongod(conn);
+
+    // Verify that the default protocol is either TLS1.2 or TLS1.3.
+    // No supported platform should default to an older protocol version.
+    assert.eq(0, res["1.0"]);
+    assert.eq(0, res["1.1"]);
+    assert.eq(0, res["unknown"]);
+    assert.neq(res["1.2"], res["1.3"]);
+
+    if (res["1.2"].tojson() != NumberLong(0).tojson()) {
+        return "TLS1_2";
+    } else {
+        return "TLS1_3";
+    }
+}
diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js
index 6ecc01bb1b6..dcde1b4b69d 100644
--- a/jstests/ssl/ssl_count_protocols.js
+++ b/jstests/ssl/ssl_count_protocols.js
@@ -2,28 +2,35 @@
 (function() {
     'use strict';
 
+    load("jstests/ssl/libs/ssl_helpers.js");
+
     var SERVER_CERT = "jstests/libs/server.pem";
     var CLIENT_CERT = "jstests/libs/client.pem";
     var CA_CERT = "jstests/libs/ca.pem";
 
+    const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];
+
+    // First, figure out what protocol our local TLS stack wants to speak.
+    // We're going to observe a connection of this type from the testrunner.
+    const expectedDefaultProtocol = detectDefaultTLSProtocol();
+    print("Expected default protocol: " + expectedDefaultProtocol);
+
     function runTestWithoutSubset(client) {
-        let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"];
-        let expectedCounts = [0, 0, 0];
-        let clientIndex = 2;
-        if (getBuildInfo().buildEnvironment.target_os === "osx") {
-            clientIndex = 0;
-        }
-        expectedCounts[clientIndex] = 1;
+        print("Running test: " + client);
+        let disabledProtocols = protocols.slice();
+        let expectedCounts = [0, 0, 0, 0, 0];
+        expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
         var index = disabledProtocols.indexOf(client);
         disabledProtocols.splice(index, 1);
         expectedCounts[index] += 1;
+        print(tojson(expectedCounts));
 
         const conn = MongoRunner.runMongod({
             sslMode: 'allowSSL',
             sslPEMKeyFile: SERVER_CERT,
             sslDisabledProtocols: 'none',
             useLogFiles: true,
-            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2",
+            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
         });
 
         print(disabledProtocols);
@@ -48,8 +55,21 @@
                                 'a[one] = NumberLong(' + expectedCounts[0] + ');' +
                                 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' +
                                 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' +
+                                'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' +
+                                'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' +
                                 'assert.eq(db.serverStatus().transportSecurity, a);');
 
+        if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
+            // If the runtime environment does not support TLS 1.3, a client cannot connect to a
+            // server if TLS 1.3 is its only usable protocol version.
+            assert.neq(
+                0,
+                exitStatus,
+                "A client which does not support TLS 1.3 should not be able to connect with it");
+            MongoRunner.stopMongod(conn);
+            return;
+        }
+
         assert.eq(0, exitStatus, "");
 
         print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
@@ -76,6 +96,9 @@
     }
 
     runTestWithoutSubset("TLS1_0");
+    runTestWithoutSubset("TLS1_1");
+    runTestWithoutSubset("TLS1_2");
+    runTestWithoutSubset("TLS1_3");
 
     // OpenSSL 0.9.8 on macOS only supports TLS 1.0
     if (getBuildInfo().buildEnvironment.target_os !== "osx") {
author	John Chen <john.chen@mongodb.com>	2019-12-03 15:40:06 +0000
committer	evergreen <evergreen@mongodb.com>	2019-12-03 15:40:06 +0000
commit	5cd7e9a0ca88583ad94243d00032486c0ee9052c (patch)
tree	d115374070b1d8be35eedb8bfd248b31563b77ab /jstests
parent	57c71a5642d8fc5f73b47999dde687db8efd4d5e (diff)
download	mongo-5cd7e9a0ca88583ad94243d00032486c0ee9052c.tar.gz