summaryrefslogtreecommitdiff
path: root/jstests/ssl/ssl_alert_reporting.js
blob: f9b44b215efbe92b5bc4a0a9b28dad3807b95aad (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

// Ensure that TLS version alerts are correctly propagated

load('jstests/ssl/libs/ssl_helpers.js');

(function() {
'use strict';

const clientOptions = [
    "--ssl",
    "--sslPEMKeyFile",
    "jstests/libs/client.pem",
    "--sslCAFile",
    "jstests/libs/ca.pem",
    "--eval",
    ";"
];

function runTest(serverDisabledProtos, clientDisabledProtos) {
    const implementation = determineSSLProvider();
    let expectedRegex;
    if (implementation === "openssl") {
        expectedRegex =
            /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: .*tlsv1 alert protocol version/;

        // OpenSSL does not send alerts and TLS 1.3 is too difficult to identify as incompatible
        // because it shows up in a TLS extension.
        if (!sslProviderSupportsTLS1_1()) {
            expectedRegex =
                /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: .*stream truncated/;
        }

    } else if (implementation === "windows") {
        expectedRegex =
            /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: .*The function requested is not supported/;
    } else if (implementation === "apple") {
        expectedRegex =
            /Error: couldn't connect to server .*:[0-9]*, connection attempt failed: SocketException: .*Secure.Transport: bad protocol version/;
    } else {
        throw Error("Unrecognized TLS implementation!");
    }

    var md = MongoRunner.runMongod({
        sslMode: "requireSSL",
        sslCAFile: "jstests/libs/ca.pem",
        sslPEMKeyFile: "jstests/libs/server.pem",
        sslDisabledProtocols: serverDisabledProtos,
    });

    let shell;
    let mongoOutput;

    assert.soon(function() {
        clearRawMongoProgramOutput();
        shell = runMongoProgram("mongo",
                                "--port",
                                md.port,
                                ...clientOptions,
                                "--sslDisabledProtocols",
                                clientDisabledProtos);
        mongoOutput = rawMongoProgramOutput();
        return mongoOutput.match(expectedRegex);
    }, "Mongo shell output was as follows:\n" + mongoOutput + "\n************", 60 * 1000);

    MongoRunner.stopMongod(md);
}

// Client receives and reports a protocol version alert if it advertises a protocol older than
// the server's oldest supported protocol
if (!sslProviderSupportsTLS1_1()) {
    // On platforms that disable TLS 1.1, assume they have TLS 1.3 for this test.
    runTest("TLS1_2", "TLS1_3");
} else {
    runTest("TLS1_0", "TLS1_1,TLS1_2");
}
}());
View Lorry Controller Status