diff options
-rw-r--r-- | jstests/ssl/ssl_client_bad_certificate_warning.js | 61 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/jstests/ssl/ssl_client_bad_certificate_warning.js b/jstests/ssl/ssl_client_bad_certificate_warning.js new file mode 100644 index 00000000000..1e63c5a7489 --- /dev/null +++ b/jstests/ssl/ssl_client_bad_certificate_warning.js @@ -0,0 +1,61 @@ +// Test mongo shell output logs correct messages when not including certificates or using bad +// certificates. +(function() { +'use strict'; + +const SERVER_CERT = "jstests/libs/server.pem"; +const CA_CERT = "jstests/libs/ca.pem"; + +const BAD_CLIENT_CERT = 'jstests/libs/trusted-client.pem'; + +function testConnect(outputLog, ...args) { + const command = ['mongo', '--host', 'localhost', '--port', mongod.port, '--tls', ...args]; + + clearRawMongoProgramOutput(); + const clientPID = _startMongoProgram({args: command}); + + assert.soon(function() { + const output = rawMongoProgramOutput(); + if (output.includes(outputLog)) { + stopMongoProgramByPid(clientPID); + return true; + } + return false; + }); +} + +function runTests() { + // --tlsCertificateKeyFile not specifed when mongod was started with --tlsCAFile or + // --tlsClusterCAFile. + testConnect('No SSL certificate provided by peer', '--tlsCAFile', CA_CERT); + + // Certificate not signed by CA_CERT used. + testConnect('SSL peer certificate validation failed', + '--tlsCAFile', + CA_CERT, + '--tlsCertificateKeyFile', + BAD_CLIENT_CERT); +} + +// Use tlsClusterCAFile +let mongod = MongoRunner.runMongod({ + tlsMode: "requireTLS", + tlsCertificateKeyFile: SERVER_CERT, + tlsClusterCAFile: CA_CERT, +}); + +runTests(); + +MongoRunner.stopMongod(mongod); + +// Use tlsCAFile +mongod = MongoRunner.runMongod({ + tlsMode: "requireTLS", + tlsCertificateKeyFile: SERVER_CERT, + tlsCAFile: CA_CERT, +}); + +runTests(); + +MongoRunner.stopMongod(mongod); +})(); diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 3f168cf09f1..09d06724a1d 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1305,6 +1305,7 @@ Status SSLManagerWindows::_loadCertificates(const SSLParams& params) { } _serverEngine.CAstore = std::move(swChain.getValue()); + _sslConfiguration.hasCA = true; } _serverEngine.hasCRL = !params.sslCRLFile.empty(); |