1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
/**
* Tests ingress connection metrics.
*
* @tags: [requires_fcv_63]
*/
"use strict";
(function() {
load("jstests/ssl/libs/ssl_helpers.js");
// Short circuits for system configurations that do not support this setParameter, (i.e. OpenSSL
// versions that don't support TLS 1.3)
if (determineSSLProvider() === "openssl" && detectDefaultTLSProtocol() !== "TLS1_3") {
jsTestLog("Platform does not support TLS 1.3; skipping test.");
return;
}
// We use 'opensslCipherSuiteConfig' to deterministically set the cipher suite negotiated when
// openSSL is being used. This can be different on Windows/OSX implementations.
let cipherSuite = "TLS_AES_256_GCM_SHA384";
const tlsOptions = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
setParameter: {opensslCipherSuiteConfig: cipherSuite},
};
function testConn() {
const mongo = runMongoProgram('mongo',
'--host',
'localhost',
'--port',
mongod.port,
'--tls',
'--tlsCAFile',
'jstests/libs/ca.pem',
'--tlsCertificateKeyFile',
'jstests/libs/client.pem',
'--eval',
';');
return mongo === 0;
}
jsTestLog("Establishing connection to mongod");
const mongod = MongoRunner.runMongod(Object.merge(tlsOptions));
let ssNetworkMetrics = mongod.adminCommand({serverStatus: 1}).metrics.network;
let initialHandshakeTimeMillis = ssNetworkMetrics.totalIngressTLSHandshakeTimeMillis;
jsTestLog(`totalTLSHandshakeTimeMillis: ${initialHandshakeTimeMillis}`);
checkLog.containsJson(mongod, 6723804, {durationMillis: Number(initialHandshakeTimeMillis)});
assert.commandWorked(mongod.adminCommand({clearLog: 'global'}));
assert.eq(1, ssNetworkMetrics.totalIngressTLSConnections, ssNetworkMetrics);
// Get the logId that corresponds to the implementation of TLS being used.
let logId;
switch (determineSSLProvider()) {
case "openssl":
logId = 6723801;
break;
case "windows":
logId = 6723802;
// This cipher is chosen to represent the cipher negotiated by Windows Server 2019 by
// default.
cipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
break;
case "apple":
logId = 6723803;
// We log only the cipher represented as its enum value in this code path. This corresponds
// to the hex value 0xC030 which maps to the cipher suite
// "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384". This cipher is chosen by OSX 12.1 by default.
cipherSuite = 49200;
break;
default:
assert(false, "Failed to determine that we are using a supported SSL provider");
}
// Start a new connection to check that 'durationMicros' is cumulatively measured in server status.
assert.soon(testConn, "Couldn't connect to mongod");
ssNetworkMetrics = mongod.adminCommand({serverStatus: 1}).metrics.network;
let totalTLSHandshakeTimeMillis = ssNetworkMetrics.totalIngressTLSHandshakeTimeMillis;
jsTestLog(`totalTLSHandshakeTimeMillis: ${totalTLSHandshakeTimeMillis}`);
let secondHandshakeDuration = totalTLSHandshakeTimeMillis - initialHandshakeTimeMillis;
checkLog.containsJson(mongod, 6723804, {durationMillis: Number(secondHandshakeDuration)});
assert.soon(() => checkLog.checkContainsOnceJson(mongod, logId, {"cipher": cipherSuite}),
"failed waiting for log line with negotiated cipher info");
assert.gt(totalTLSHandshakeTimeMillis, initialHandshakeTimeMillis);
assert.eq(2, ssNetworkMetrics.totalIngressTLSConnections, ssNetworkMetrics);
MongoRunner.stopMongod(mongod);
}());
|