1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
// Verify certificates and CAs between intra-cluster
// and client->server communication using different CAs.
(function() {
"use strict";
function testRS(opts, succeed) {
const origSkipCheck = TestData.skipCheckDBHashes;
const rsOpts = {
// Use localhost so that SAN matches.
useHostName: false,
nodes: {node0: opts, node1: opts},
};
const rs = new ReplSetTest(rsOpts);
rs.startSet();
if (succeed) {
rs.initiate();
assert.commandWorked(rs.getPrimary().getDB('admin').runCommand({isMaster: 1}));
} else {
assert.throws(function() {
rs.initiate();
});
TestData.skipCheckDBHashes = true;
}
rs.stopSet();
TestData.skipCheckDBHashes = origSkipCheck;
}
// The name "trusted" in these certificates is misleading.
// They're just a separate trust chain from the ones without the name.
// ca.pem signed client.pem and server.pem
// trusted-ca.pem signed trusted-client.pem and trusted-server.pem
const valid_options = {
tlsMode: 'requireTLS',
// Servers present trusted-server.pem to clients and each other for inbound connections.
// Peers validate trusted-server.pem using trusted-ca.pem when making those connections.
tlsCertificateKeyFile: 'jstests/libs/trusted-server.pem',
tlsCAFile: 'jstests/libs/trusted-ca.pem',
// Servers making outbound connections to other servers present server.pem to their peers
// which their peers validate using ca.pem.
tlsClusterFile: 'jstests/libs/server.pem',
tlsClusterCAFile: 'jstests/libs/ca.pem',
// SERVER-36895: IP based hostname validation with SubjectAlternateName
tlsAllowInvalidHostnames: '',
};
testRS(valid_options, true);
const wrong_cluster_file =
Object.assign({}, valid_options, {tlsClusterFile: valid_options.tlsCertificateKeyFile});
testRS(wrong_cluster_file, false);
const wrong_key_file =
Object.assign({}, valid_options, {tlsCertificateKeyFile: valid_options.tlsClusterFile});
testRS(wrong_key_file, false);
const mongod = MongoRunner.runMongod(valid_options);
assert(mongod, "Failed starting standalone mongod with alternate CA");
function testConnect(cert, succeed) {
const mongo = runMongoProgram("mongo",
"--host",
"localhost",
"--port",
mongod.port,
"--tls",
"--tlsCAFile",
valid_options.tlsCAFile,
"--tlsCertificateKeyFile",
cert,
"--eval",
";");
// runMongoProgram returns 0 on success
assert.eq(mongo === 0, succeed);
}
testConnect('jstests/libs/client.pem', true);
testConnect('jstests/libs/trusted-client.pem', false);
MongoRunner.stopMongod(mongod);
}());
|