blob: 1cef7d23e3e3e7f3d9a1d09b2aba7a2b6fa34f24 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
// Check that OCSP verification works
// @tags: [requires_http_client]
load("jstests/ocsp/lib/mock_ocsp.js");
(function() {
"use strict";
if (determineSSLProvider() !== "openssl") {
return;
}
if (!supportsStapling()) {
return;
}
let mock_ocsp = new MockOCSPServer();
mock_ocsp.start();
let ocsp_options = {
sslMode: "requireSSL",
sslPEMKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT,
sslCAFile: OCSP_CA_PEM,
sslAllowInvalidHostnames: "",
setParameter: {
"ocspEnabled": "true",
},
};
jsTestLog("Testing regular stapling with a server using a MustStaple certificate.");
let conn = MongoRunner.runMongod(ocsp_options);
// this connection should succeed, since the server will staple responses
new Mongo(conn.host);
MongoRunner.stopMongod(conn);
ocsp_options = Object.merge(ocsp_options, {
setParameter: {ocspEnabled: true, "failpoint.disableStapling": "{mode: 'alwaysOn'}"},
waitForConnect: false
});
assert.doesNotThrow(() => {
conn = MongoRunner.runMongod(ocsp_options);
});
jsTestLog(
"Testing that a client can connect to a server using a MustStaple certificate and tlsAllowInvalidCertificates enabled.");
waitForServer(conn);
// assert that trying to connect to a server using a MustStaple certificate without a stapled OCSP
// response will fail
jsTestLog(
"Testing that a client cannot connect to a server using a MustStaple certificate without a stapled response.");
assert.throws(() => {
new Mongo(conn.host);
});
MongoRunner.stopMongod(conn);
// The mongoRunner spawns a new Mongo Object to validate the collections which races
// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
// sleep to make sure that the threads don't interfere with each other.
sleep(1000);
mock_ocsp.stop();
}());
|