1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
// Ensure that TLS version alerts are correctly propagated
load('jstests/ssl/libs/ssl_helpers.js');
(function() {
'use strict';
const clientOptions = [
"--ssl",
"--sslPEMKeyFile",
"jstests/libs/client.pem",
"--sslCAFile",
"jstests/libs/ca.pem",
"--eval",
";"
];
function runTest(serverDisabledProtos, clientDisabledProtos) {
const implementation = determineSSLProvider();
let expectedRegex;
if (implementation === "openssl") {
expectedRegex =
/Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: tlsv1 alert protocol version/;
} else if (implementation === "windows") {
expectedRegex =
/Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: The function requested is not supported/;
} else if (implementation === "apple") {
expectedRegex =
/Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: Secure.Transport: bad protocol version/;
} else {
throw Error("Unrecognized TLS implementation!");
}
var md = MongoRunner.runMongod({
sslMode: "requireSSL",
sslCAFile: "jstests/libs/ca.pem",
sslPEMKeyFile: "jstests/libs/server.pem",
sslDisabledProtocols: serverDisabledProtos,
});
let shell;
let mongoOutput;
assert.soon(function() {
clearRawMongoProgramOutput();
shell = runMongoProgram("mongo",
"--port",
md.port,
...clientOptions,
"--sslDisabledProtocols",
clientDisabledProtos);
mongoOutput = rawMongoProgramOutput();
return mongoOutput.match(expectedRegex);
}, "Mongo shell output was as follows:\n" + mongoOutput + "\n************");
MongoRunner.stopMongod(md);
}
// Client recieves and reports a protocol version alert if it advertises a protocol older than
// the server's oldest supported protocol
runTest("TLS1_0", "TLS1_1,TLS1_2");
}());
|
