[CDRIVER-3379] Remove x509 tests against ldaptest.10gen.cc Created: 30/Sep/19  Updated: 27/Oct/23  Resolved: 09/Jan/20

Status: Closed
Project: C Driver
Component/s: Build, tests
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-2940 Regenerate test certificates with SHA... Closed

 Description   

The C driver evergreen project tests auth with x509 against ldaptest.10gen.cc, using certificates referenced in this wiki page
https://wiki.corp.mongodb.com/display/DRIVERS/Testing+x.509.

AFAIK no other drivers are testing x509 auth against ldaptest, but our auth tests are failing on rhel80 due to the weak crypto in those certs.

Copying from Roberto Sanchez's comment in CDRIVER-2940, the authentication task connects like so:

[2019/09/23 22:47:21.881] + echo 'Authenticating using X.509'
[2019/09/23 22:47:21.881] + ./src/libmongoc/mongoc-ping 'mongodb://CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@ldaptest.10gen.cc/?ssl=true&authMechanism=MONGODB-X509&sslClientCertificateKeyFile=src/libmongoc/tests/x509gen/legacy-x509.pem&sslCertificateAuthorityFile=src/libmongoc/tests/x509gen/legacy-ca.crt&sslAllowInvalidHostnames=true&connectTimeoutMS=30000&serverSelectionTryOnce=false'
[2019/09/23 22:47:51.438] Ping failure: No suitable servers found: `serverselectiontimeoutms` timed out: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'ldaptest.10gen.cc:27017']
[2019/09/23 22:47:51.439] OpenSSL 1.1.1 FIPS 11 Sep 2018
Authenticating using X.509
[2019/09/23 22:47:51.439] Command failed: command encountered problem: exit status 3

There is a long-open BUILD ticket to regenerate those certs here in BUILD-2782. But I believe testing x509 against ldaptest.10gen.cc does not give us additional coverage. We test x509 as part of our normal auth tests (our orchestration files use the certs referenced in DRIVERS-575, which all other drivers use).

Let's verify that testing against ldaptest.10gen.cc really does not give us any benefit, and then remove those tests.



 Comments   
Comment by Kevin Albertson [ 09/Jan/20 ]

This appears to no longer be failing on master.

Comment by Kevin Albertson [ 08/Jan/20 ]

It appears the referenced failing RHEL 8 patch build was this one: https://evergreen.mongodb.com/version/5d893abb306615699f1e864a but logs are no longer attached.

Generated at Wed Feb 07 21:17:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.