[CDRIVER-3579] Run TLS tests with certificate validation Created: 19/Mar/20  Updated: 28/Oct/23  Resolved: 23/Jul/20

Status: Closed
Project: C Driver
Component/s: tests, tls
Affects Version/s: None
Fix Version/s: 1.18.0, 1.18.0-alpha

Type: Task Priority: Major - P3
Reporter: Kevin Albertson Assignee: Roberto Sanchez
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-3580 Secure Channel must soft-fail when ce... Closed
is related to CDRIVER-3557 Add evergreen testing with RHEL 6 Closed

 Description   

The test runner sets MONGOC_TEST_SSL_WEAK_CERT_VALIDATION when running tests with SSL. As a result, we may not be exercising our certificate validation code much in tests. Let's try to improve this, and do full certificate validation when testing.



 Comments   
Comment by Githook User [ 23/Jul/20 ]

Author:

{'name': 'Roberto C. Sánchez', 'email': 'roberto@connexer.com', 'username': 'rcsanchez97'}

Message: CDRIVER-3579 run TLS tests with certificate validation
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e0b047dd69e9c02c815cb10a9675a534b254b998

Comment by Kevin Albertson [ 23/Mar/20 ]

As a note, it is possible the case that enabling certificate validation in tests may only require some changes to the test script run-tests.sh on RHEL 6.2.

When enabling the test variant RHEL 6.2, TLS handshake failures occurred due to certificate validation failure: CDRIVER-3557. run-tests.sh attempts to copy the CA cert to /usr/local/share/ca-certificates here: https://github.com/mongodb/mongo-c-driver/blob/1.16.0/.evergreen/run-tests.sh/#L30-L39. That fails on RHEL 6.2 (example), but succeeds on other variants (Example).

Because of that, tests that were constructing a mongoc_client_t from the test URI without calling test_framework_set_ssl_opts were failing on RHEL 6.2, because they were not disabling certificate validation. Since those tests passed elsewhere, certificate validation was at least working on those tests on every other variant.

Another note, test_framework_get_uri_str includes "ssl=true" if any of the TLS test environment variables are set. But, it sets no other TLS options. Perhaps we should rethink that, since it's very easy to think that constructing a client with test_framework_get_uri_str is equivalent to test_framework_client_new, and the only difference will be that it lacks some TLS options, but still enables TLS.

Generated at Wed Feb 07 21:18:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.