diff options
-rw-r--r-- | jstests/ocsp/ocsp_connection_type_testing.js | 87 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 9 |
2 files changed, 95 insertions, 1 deletions
diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js new file mode 100644 index 00000000000..b4f7ccae42b --- /dev/null +++ b/jstests/ocsp/ocsp_connection_type_testing.js @@ -0,0 +1,87 @@ +// Check that OCSP verification works +// @tags: [requires_http_client] + +load("jstests/ocsp/lib/mock_ocsp.js"); + +(function() { +"use strict"; + +if (determineSSLProvider() != "openssl") { + return; +} + +let mock_ocsp = new MockOCSPServer("", 10); +mock_ocsp.start(); + +// Set Default timeout time to 2 minutes so test doesn't +// run forever. +ReplSetTest.kDefaultTimeoutMS = 1 * 30 * 1000; + +// We don't want to invoke the hang analyzer because we +// expect this test to fail by timing out +MongoRunner.runHangAnalyzer.disable(); + +const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_CERT, + sslCAFile: OCSP_CA_CERT, + sslAllowInvalidHostnames: "", + setParameter: { + "ocspEnabled": "true", + }, +}; + +const rstest = ReplSetTest({ + name: "OCSP Servers Test", + nodes: 2, + nodeOptions: ocsp_options, +}); + +rstest.startSet(); + +mock_ocsp.stop(); + +mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 10); +mock_ocsp.start(); + +sleep(10); + +assert.throws(() => { + rstest.initialize(); +}); + +rstest.stopSet(); + +mock_ocsp.stop(); + +// The next few tests depend on stapling +// being available. +if (!supportsStapling()) { + return; +} + +mock_ocsp = new MockOCSPServer(); +mock_ocsp.start(); + +let conn = null; + +assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); +}); +mock_ocsp.stop(); + +mock_ocsp = new MockOCSPServer(FAULT_REVOKED); +mock_ocsp.start(); + +// The OCSP status of the client's cert would be Revoked, +// but because we don't want the Server to check the status +// of the client's cert, we assert that this doesn't throw. +assert.doesNotThrow(() => { + new Mongo(conn.host); +}); + +MongoRunner.stopMongod(conn); + +sleep(1000); +mock_ocsp.stop(); +}()); diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 37f320c960b..1a992f66b44 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1378,6 +1378,10 @@ constexpr int OCSP_CLIENT_RESPONSE_ERROR = -1; constexpr int OCSP_CLIENT_RESPONSE_ACCEPTABLE = 1; int ocspClientCallback(SSL* ssl, void* arg) { + if (getSSLGlobalParams().sslAllowInvalidCertificates) { + return OCSP_CLIENT_RESPONSE_ACCEPTABLE; + } + const unsigned char* response_ptr = NULL; long length = SSL_get_tlsext_status_ocsp_resp(ssl, &response_ptr); @@ -2145,7 +2149,10 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( } Future<void> ocspFuture; - if (sslOCSPEnabled) { + + // The check to ensure that remoteHost is empty is to ensure that we only run OCSP + // verification when we are a client, never as a server. + if (sslOCSPEnabled && !remoteHost.empty() && !_allowInvalidCertificates) { ocspFuture = ocspClientVerification(conn); } |