1 files changed, 31 insertions, 8 deletions

diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js
index 6ecc01bb1b6..dcde1b4b69d 100644
--- a/jstests/ssl/ssl_count_protocols.js
+++ b/jstests/ssl/ssl_count_protocols.js
@@ -2,28 +2,35 @@
 (function() {
     'use strict';
 
+    load("jstests/ssl/libs/ssl_helpers.js");
+
     var SERVER_CERT = "jstests/libs/server.pem";
     var CLIENT_CERT = "jstests/libs/client.pem";
     var CA_CERT = "jstests/libs/ca.pem";
 
+    const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];
+
+    // First, figure out what protocol our local TLS stack wants to speak.
+    // We're going to observe a connection of this type from the testrunner.
+    const expectedDefaultProtocol = detectDefaultTLSProtocol();
+    print("Expected default protocol: " + expectedDefaultProtocol);
+
     function runTestWithoutSubset(client) {
-        let disabledProtocols = ["TLS1_0", "TLS1_1", "TLS1_2"];
-        let expectedCounts = [0, 0, 0];
-        let clientIndex = 2;
-        if (getBuildInfo().buildEnvironment.target_os === "osx") {
-            clientIndex = 0;
-        }
-        expectedCounts[clientIndex] = 1;
+        print("Running test: " + client);
+        let disabledProtocols = protocols.slice();
+        let expectedCounts = [0, 0, 0, 0, 0];
+        expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
         var index = disabledProtocols.indexOf(client);
         disabledProtocols.splice(index, 1);
         expectedCounts[index] += 1;
+        print(tojson(expectedCounts));
 
         const conn = MongoRunner.runMongod({
             sslMode: 'allowSSL',
             sslPEMKeyFile: SERVER_CERT,
             sslDisabledProtocols: 'none',
             useLogFiles: true,
-            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2",
+            tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
         });
 
         print(disabledProtocols);
@@ -48,8 +55,21 @@
                                 'a[one] = NumberLong(' + expectedCounts[0] + ');' +
                                 'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' +
                                 'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' +
+                                'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' +
+                                'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' +
                                 'assert.eq(db.serverStatus().transportSecurity, a);');
 
+        if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
+            // If the runtime environment does not support TLS 1.3, a client cannot connect to a
+            // server if TLS 1.3 is its only usable protocol version.
+            assert.neq(
+                0,
+                exitStatus,
+                "A client which does not support TLS 1.3 should not be able to connect with it");
+            MongoRunner.stopMongod(conn);
+            return;
+        }
+
         assert.eq(0, exitStatus, "");
 
         print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
@@ -76,6 +96,9 @@
     }
 
     runTestWithoutSubset("TLS1_0");
+    runTestWithoutSubset("TLS1_1");
+    runTestWithoutSubset("TLS1_2");
+    runTestWithoutSubset("TLS1_3");
 
     // OpenSSL 0.9.8 on macOS only supports TLS 1.0
     if (getBuildInfo().buildEnvironment.target_os !== "osx") {