diff options
Diffstat (limited to 'jstests/sslSpecial/tls1_0.js')
| -rw-r--r-- | jstests/sslSpecial/tls1_0.js | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/jstests/sslSpecial/tls1_0.js b/jstests/sslSpecial/tls1_0.js new file mode 100644 index 00000000000..4947f64e941 --- /dev/null +++ b/jstests/sslSpecial/tls1_0.js @@ -0,0 +1,107 @@ +// Make sure MongoD starts with TLS 1.0 disabled (except w/ old OpenSSL). + +(function() { + 'use strict'; + + load("jstests/ssl/libs/ssl_helpers.js"); + + // There will be cases where a connect is impossible, + // let the test runner clean those up. + TestData.failIfUnterminatedProcesses = false; + + const supportsTLS1_1 = (function() { + const openssl = getBuildInfo().openssl || {}; + if (openssl.compiled === undefined) { + // Native TLS build. + return true; + } + // OpenSSL 0.x.x => TLS 1.0 only. + if (/OpenSSL 0\./.test(openssl.compiled)) { + return false; + } + // OpenSSL 1.0.0-1.0.0k => TLS 1.0 only. + if (/OpenSSL 1\.0\.0[ a-k]/.test(openssl.compiled)) { + return false; + } + + // OpenSSL 1.0.0l and later include TLS 1.1 and 1.2 + return true; + })(); + + const defaultEnableTLS1_0 = (function() { + // If the build doesn't support TLS 1.1, then TLS 1.0 is left enabled. + return !supportsTLS1_1; + })(); + + const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2"; + + function test(serverDP, clientDP, shouldSucceed) { + const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null); + let serverOpts = { + sslMode: 'allowSSL', + sslPEMKeyFile: 'jstests/libs/server.pem', + sslCAFile: 'jstests/libs/ca.pem', + waitForConnect: true + }; + if (serverDP !== null) { + serverOpts.sslDisabledProtocols = serverDP; + } + clearRawMongoProgramOutput(); + const mongod = MongoRunner.runMongod(serverOpts); + if (!mongod) { + assert(!shouldSucceed); + return; + } + + let clientOpts = []; + if (clientDP !== null) { + clientOpts = ['--sslDisabledProtocols', clientDP]; + } + const didSucceed = (0 == runMongoProgram('mongo', + '--ssl', + '--port', + mongod.port, + '--sslPEMKeyFile', + 'jstests/libs/client.pem', + '--sslCAFile', + 'jstests/libs/ca.pem', + ...clientOpts, + '--eval', + ';')); + + MongoRunner.stopMongod(mongod); + + // Exit code based success/failure. + assert.eq( + didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP)); + + assert.eq(expectLogMessage, + rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0, + "TLS 1.0 was/wasn't automatically disabled"); + } + + // Tests with default client behavior (TLS 1.0 disabled if 1.1 available). + test(null, null, true); + test('none', null, true); + test('TLS1_0', null, supportsTLS1_1); + test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3); + test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1); + test('TLS1_0,TLS1_1', null, supportsTLS1_1); + test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3); + test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false); + + // Tests with TLS 1.0 always enabled on client. + test(null, 'none', true); + test('none', 'none', true); + test('TLS1_0', 'none', supportsTLS1_1); + test('TLS1_1,TLS1_2', 'none', true); + test('TLS1_0,TLS1_1', 'none', supportsTLS1_1); + + // Tests with TLS 1.0 explicitly disabled on client. + test(null, 'TLS1_0', supportsTLS1_1); + test('none', 'TLS1_0', supportsTLS1_1); + test('TLS1_0', 'TLS1_0', supportsTLS1_1); + test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3); + test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false); + test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1); +})(); |