Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-74306

Add more comprehensive integration testing of TLS certificate validation

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security

    Description

      The current state of the SSL integration tests are lacking when it comes to testing the expected behavior of the server with various combinations of TLS options.

      For instance, there should be tests (both negative and positive) to verify that client certificate validation works as expected when the server is configured with 1. only the CAFile, 2. only the clusterCAFile, and 3. with both CAFile and clusterCAFile. If neither CAFile nor clusterCAFile is provided, we need to have a test to ensure that a proper startup warning is emitted in the logs, and that client certificates using bad certificates can indeed connect to the server.

      We should also have a test to verify the cases when the server uses the system CA store to validate ingress connections. For example, in Windows, specifying a certificateSelector or clusterCertificateSelector without specifying a CA PEM file, will cause the server to use the system CA store to validate client certificates.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            erwin.pe@mongodb.com Erwin Pe
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: