1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
// Make sure MongoD starts with TLS 1.0 disabled (except w/ old OpenSSL).
(function() {
'use strict';
load("jstests/ssl/libs/ssl_helpers.js");
// There will be cases where a connect is impossible,
// let the test runner clean those up.
TestData.failIfUnterminatedProcesses = false;
const supportsTLS1_1 = (function() {
const openssl = getBuildInfo().openssl || {};
if (openssl.compiled === undefined) {
// Native TLS build.
return true;
}
// OpenSSL 0.x.x => TLS 1.0 only.
if (/OpenSSL 0\./.test(openssl.compiled)) {
return false;
}
// OpenSSL 1.0.0-1.0.0k => TLS 1.0 only.
if (/OpenSSL 1\.0\.0[ a-k]/.test(openssl.compiled)) {
return false;
}
// OpenSSL 1.0.0l and later include TLS 1.1 and 1.2
return true;
})();
const defaultEnableTLS1_0 = (function() {
// If the build doesn't support TLS 1.1, then TLS 1.0 is left enabled.
return !supportsTLS1_1;
})();
const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2";
function test(serverDP, clientDP, shouldSucceed) {
const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null);
let serverOpts = {
sslMode: 'allowSSL',
sslPEMKeyFile: 'jstests/libs/server.pem',
sslCAFile: 'jstests/libs/ca.pem',
waitForConnect: true
};
if (serverDP !== null) {
serverOpts.sslDisabledProtocols = serverDP;
}
clearRawMongoProgramOutput();
const mongod = MongoRunner.runMongod(serverOpts);
if (!mongod) {
assert(!shouldSucceed);
return;
}
let clientOpts = [];
if (clientDP !== null) {
clientOpts = ['--sslDisabledProtocols', clientDP];
}
const didSucceed = (0 ==
runMongoProgram('mongo',
'--ssl',
'--port',
mongod.port,
'--sslPEMKeyFile',
'jstests/libs/client.pem',
'--sslCAFile',
'jstests/libs/ca.pem',
...clientOpts,
'--eval',
';'));
MongoRunner.stopMongod(mongod);
// Exit code based success/failure.
assert.eq(
didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP));
assert.eq(expectLogMessage,
rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0,
"TLS 1.0 was/wasn't automatically disabled");
}
// Tests with default client behavior (TLS 1.0 disabled if 1.1 available).
test(null, null, true);
test('none', null, true);
test('TLS1_0', null, supportsTLS1_1);
test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3);
test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1);
test('TLS1_0,TLS1_1', null, supportsTLS1_1);
test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3);
test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false);
// Tests with TLS 1.0 always enabled on client.
test(null, 'none', true);
test('none', 'none', true);
test('TLS1_0', 'none', supportsTLS1_1);
test('TLS1_1,TLS1_2', 'none', true);
test('TLS1_0,TLS1_1', 'none', supportsTLS1_1);
// Tests with TLS 1.0 explicitly disabled on client.
test(null, 'TLS1_0', supportsTLS1_1);
test('none', 'TLS1_0', supportsTLS1_1);
test('TLS1_0', 'TLS1_0', supportsTLS1_1);
test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3);
test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false);
test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1);
})();
|
