mirror of
https://github.com/mongodb/mongo.git
synced 2024-12-01 09:32:32 +01:00
109 lines
3.6 KiB
JavaScript
109 lines
3.6 KiB
JavaScript
// Make sure MongoD starts with TLS 1.0 disabled (except w/ old OpenSSL).
|
|
|
|
(function() {
|
|
'use strict';
|
|
|
|
load("jstests/ssl/libs/ssl_helpers.js");
|
|
|
|
// There will be cases where a connect is impossible,
|
|
// let the test runner clean those up.
|
|
TestData.failIfUnterminatedProcesses = false;
|
|
|
|
const supportsTLS1_1 = (function() {
|
|
const openssl = getBuildInfo().openssl || {};
|
|
if (openssl.compiled === undefined) {
|
|
// Native TLS build.
|
|
return true;
|
|
}
|
|
// OpenSSL 0.x.x => TLS 1.0 only.
|
|
if (/OpenSSL 0\./.test(openssl.compiled)) {
|
|
return false;
|
|
}
|
|
// OpenSSL 1.0.0-1.0.0k => TLS 1.0 only.
|
|
if (/OpenSSL 1\.0\.0[ a-k]/.test(openssl.compiled)) {
|
|
return false;
|
|
}
|
|
|
|
// OpenSSL 1.0.0l and later include TLS 1.1 and 1.2
|
|
return true;
|
|
})();
|
|
|
|
const defaultEnableTLS1_0 = (function() {
|
|
// If the build doesn't support TLS 1.1, then TLS 1.0 is left enabled.
|
|
return !supportsTLS1_1;
|
|
})();
|
|
|
|
const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2";
|
|
|
|
function test(serverDP, clientDP, shouldSucceed) {
|
|
const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null);
|
|
let serverOpts = {
|
|
sslMode: 'allowSSL',
|
|
sslPEMKeyFile: 'jstests/libs/server.pem',
|
|
sslCAFile: 'jstests/libs/ca.pem',
|
|
waitForConnect: true
|
|
};
|
|
if (serverDP !== null) {
|
|
serverOpts.sslDisabledProtocols = serverDP;
|
|
}
|
|
clearRawMongoProgramOutput();
|
|
const mongod = MongoRunner.runMongod(serverOpts);
|
|
if (!mongod) {
|
|
assert(!shouldSucceed);
|
|
return;
|
|
}
|
|
|
|
let clientOpts = [];
|
|
if (clientDP !== null) {
|
|
clientOpts = ['--sslDisabledProtocols', clientDP];
|
|
}
|
|
const didSucceed = (0 ==
|
|
runMongoProgram('mongo',
|
|
'--ssl',
|
|
'--port',
|
|
mongod.port,
|
|
'--sslPEMKeyFile',
|
|
'jstests/libs/client.pem',
|
|
'--sslCAFile',
|
|
'jstests/libs/ca.pem',
|
|
...clientOpts,
|
|
'--eval',
|
|
';'));
|
|
|
|
MongoRunner.stopMongod(mongod);
|
|
|
|
// Exit code based success/failure.
|
|
assert.eq(
|
|
didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP));
|
|
|
|
assert.eq(expectLogMessage,
|
|
rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0,
|
|
"TLS 1.0 was/wasn't automatically disabled");
|
|
}
|
|
|
|
// Tests with default client behavior (TLS 1.0 disabled if 1.1 available).
|
|
test(null, null, true);
|
|
test('none', null, true);
|
|
test('TLS1_0', null, supportsTLS1_1);
|
|
test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3);
|
|
test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1);
|
|
test('TLS1_0,TLS1_1', null, supportsTLS1_1);
|
|
test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3);
|
|
test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false);
|
|
|
|
// Tests with TLS 1.0 always enabled on client.
|
|
test(null, 'none', true);
|
|
test('none', 'none', true);
|
|
test('TLS1_0', 'none', supportsTLS1_1);
|
|
test('TLS1_1,TLS1_2', 'none', true);
|
|
test('TLS1_0,TLS1_1', 'none', supportsTLS1_1);
|
|
|
|
// Tests with TLS 1.0 explicitly disabled on client.
|
|
test(null, 'TLS1_0', supportsTLS1_1);
|
|
test('none', 'TLS1_0', supportsTLS1_1);
|
|
test('TLS1_0', 'TLS1_0', supportsTLS1_1);
|
|
test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3);
|
|
test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false);
|
|
test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1);
|
|
})();
|