jstests/ssl/ssl_intermediate_ca.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

// Test that including intermediate certificates
// in the certificate key file will be sent to the remote.

(function() {
'use strict';

load('jstests/ssl/libs/ssl_helpers.js');

if (determineSSLProvider() === 'windows') {
    // FIXME: SERVER-39574
    print("Skipping test with windows SChannel pending SERVER-39574");
    return;
}

// server-intermediate-ca was signed by ca.pem, not trusted-ca.pem
const VALID_CA = 'jstests/libs/ca.pem';
const INVALID_CA = 'jstests/libs/trusted-ca.pem';

function runTest(inbound, outbound) {
    const mongod = MongoRunner.runMongod({
        sslMode: 'requireSSL',
        sslAllowConnectionsWithoutCertificates: '',
        sslPEMKeyFile: 'jstests/libs/server-intermediate-ca.pem',
        sslCAFile: outbound,
        sslClusterCAFile: inbound,
    });
    assert(mongod);
    assert.eq(mongod.getDB('admin').system.users.find({}).toArray(), []);
    MongoRunner.stopMongod(mongod);
}

// Normal mode, we have a valid CA being presented for outbound and inbound.
runTest(VALID_CA, VALID_CA);

// Alternate CA mode, only the inbound CA is valid.
runTest(VALID_CA, INVALID_CA);
})();