1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
// Test that the server supports ECDHE and DHE tls cipher suites.
load('jstests/ssl/libs/ssl_helpers.js');
(function() {
"use strict";
// Need to use toolchain python, which is unsupported on Windows
if (_isWindows()) {
return;
}
// Amazon linux does not currently support ECDHE
const EXCLUDED_BUILDS = ['amazon', 'amzn64'];
const SERVER_CERT = "jstests/libs/server.pem";
const OUTFILE = 'jstests/ssl/ciphers.json';
const suites = [
'sslv2',
'sslv3',
'tls1',
'tls1_1',
'tls1_2',
];
const x509_options = {
tlsMode: 'requireTLS',
tlsCAFile: CA_CERT,
tlsCertificateKeyFile: SERVER_CERT,
ipv6: "",
bind_ip_all: ""
};
const mongod = MongoRunner.runMongod(x509_options);
// Use new toolchain python, if it exists
let python_binary = '/opt/mongodbtoolchain/v4/bin/python3';
if (runProgram('/bin/sh', '-c', 'ls ' + python_binary) !== 0) {
// We are running on mac
python_binary = 'python3';
}
// Run the tls cipher suite enumerator
const python = '/usr/bin/env ' + python_binary;
const enumerator = " jstests/ssl/tls_enumerator.py ";
const python_command = python + enumerator + '--port=' + mongod.port + ' --cafile=' + CA_CERT +
' --cert=' + CLIENT_CERT + ' --outfile=' + OUTFILE;
assert.eq(runProgram('/bin/sh', '-c', python_command), 0);
// Parse its output
let cipherDict = {};
try {
cipherDict = JSON.parse(cat(OUTFILE));
} catch (e) {
jsTestLog("Failed to parse ciphers.json");
throw e;
} finally {
const delete_command = 'rm ' + OUTFILE;
assert.eq(runProgram('/bin/sh', '-c', delete_command), 0);
}
// Checking that SSLv2, SSLv3 and TLS 1.0 are not accepted
suites.slice(0, suites.indexOf('tls1'))
.forEach(tlsVersion => assert(cipherDict[tlsVersion].length === 0));
let hasECDHE = false;
let hasDHE = false;
// Printing TLS 1.1 and 1.2 suites that are accepted
suites.slice(suites.indexOf('tls1_1')).forEach(tlsVersion => {
print('*************************\n' + tlsVersion + ": ");
cipherDict[tlsVersion].forEach(cipher => {
print(cipher);
if (cipher.startsWith('ECDHE')) {
hasECDHE = true;
}
if (cipher.startsWith('DHE')) {
hasDHE = true;
}
});
});
// All platforms except Amazon Linux 1 should support ECDHE and DHE
if (!EXCLUDED_BUILDS.includes(buildInfo().buildEnvironment.distmod)) {
assert(hasECDHE, 'Supports at least one ECDHE cipher suite');
// Secure Transport disallows DHE, so we don't require it on those platforms
if (determineSSLProvider() !== 'apple') {
assert(hasDHE, 'Supports at least one DHE cipher suite');
}
}
// If ECDHE is enabled, DHE should be too (for Java 7 compat)
if (determineSSLProvider() !== 'apple') {
assert(hasDHE === hasECDHE, 'Supports both ECDHE and DHE or neither');
}
MongoRunner.stopMongod(mongod);
}());
|
