summaryrefslogtreecommitdiff
path: root/jstests/ssl/openssl_ciphersuites.js
blob: 770a8fb8c548f92239db7bd2669a3c050ea4cc44 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

// Test setParameter sslCipherSuitesConfig for TLS 1.3
// sslCipherSuitesConfig allows the user to set the list of cipher suites for just TLS 1.3

(function() {
"use strict";
load("jstests/ssl/libs/ssl_helpers.js");

// Short circuits for system configurations that do not support this setParameter, (i.e. OpenSSL
// that don't support TLS 1.3)
if (determineSSLProvider() !== "openssl") {
    jsTestLog("SSL provider is not OpenSSL; skipping test.");
    return;
} else if (detectDefaultTLSProtocol() !== "TLS1_3") {
    jsTestLog("Platform does not support TLS 1.3; skipping test.");
    return;
}

const baseParams = {
    tlsMode: "requireTLS",
    tlsCertificateKeyFile: "jstests/libs/server.pem",
    tlsCAFile: "jstests/ssl/x509/root-and-trusted-ca.pem",
    waitForConnect: false,
};

function testConn() {
    const mongo = runMongoProgram('mongo',
                                  '--host',
                                  'localhost',
                                  '--port',
                                  mongod.port,
                                  '--tls',
                                  '--tlsCAFile',
                                  'jstests/libs/ca.pem',
                                  '--tlsCertificateKeyFile',
                                  'jstests/libs/trusted-client.pem',
                                  '--eval',
                                  ';');
    return mongo === 0;
}

// test a successful connection when setting cipher suites
jsTestLog("Testing for successful connection with valid cipher suite config");
let mongod = MongoRunner.runMongod(
    Object.merge(baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_256_GCM_SHA384"}}));
assert.soon(testConn, "Client could not connect to server with valid ciphersuite config.");
MongoRunner.stopMongod(mongod);

// test an unsuccessful connection when mandating a cipher suite which OpenSSL disables by default
jsTestLog(
    "Testing for unsuccessful connection with cipher suite config which OpenSSL disables by default.");
mongod = MongoRunner.runMongod(Object.merge(
    baseParams, {setParameter: {opensslCipherSuiteConfig: "TLS_AES_128_CCM_8_SHA256"}}));
sleep(30000);

assert.eq(
    false, testConn(), "Client successfully connected to server with invalid ciphersuite config.");
MongoRunner.stopMongod(mongod);
})();
View Lorry Controller Status