[SERVER-11127] Add more tests for ssl client options Created: 10/Oct/13  Updated: 02/Aug/16  Resolved: 02/Aug/16

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Shaun Verch Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-12919 jstest tool helpers do not check pass... Closed
Related
related to SERVER-8682 mongo tools do not support --sslPEMKe... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

  --ssl                                 use SSL for all connections
  --sslCAFile arg                       Certificate Authority file for SSL
  --sslPEMKeyFile arg                   PEM certificate/key file for SSL
  --sslPEMKeyPassword arg               password for key in PEM file for SSL
  --sslCRLFile arg                      Certificate Revocation List file for
                                        SSL
  --sslFIPSMode                         activate FIPS 140-2 mode at startup

Currently I don't see good jstests for these. There are some for CAFile, and for the server side, but not for the client side, which includes the mongo shell and also the tools (as of SERVER-8682).



 Comments   
Comment by Andreas Nilsson [ 02/Aug/16 ]

We have a reasonable test coverage of SSL options in the shell right now.

Comment by Shaun Verch [ 26/Feb/14 ]

To give some more context on this, we do actually have tests of this for the server: https://github.com/mongodb/mongo/blob/master/jstests/ssl/ssl_cert_password.js#L13

There's a comment there, that says "connects a mongo shell", which may make it seem like the options are passed to the shell as well, but that is not the case here.

The "runMongod" javascript test helper and similar test helpers do the following things:

  1. Fork a new process (in this case "mongod")
  2. Make a new connection to the new process, hard coded to connect via localhost (by calling new Mongo("127.0.0.1:" + newPort))
  3. Return this new connection object

Note that at no point is the "mongo" process forked. What this means is that the connection object is made in the context of the mongo shell that was used to run the test in the first place. This means that if you start a mongo shell with no ssl options, and try to use "runMongod" to create a mongod that only allows ssl connection, a connection cannot be established and an exception will be thrown.

What this means in our test framework is that "--use-ssl" should be passed to "buildscripts/smoke.py" whenever it is used to run javascript tests that are testing ssl connections. This will cause smoke.py to spawn the mongo shell that is uses to run the test with ssl options: https://github.com/mongodb/mongo/blob/master/buildscripts/smoke.py#L453

Note that a few of the SSL options are actually passed to the shell at this point, so only the following are not tested at all on the client side:

--sslPEMKeyPassword arg
--sslCRLFile arg
--sslFIPSMode

None of these options are currently tested for the tools. Part of the reason for this is that the helpers used to spawn tool instances from the jstests do not check the "passthrough" configuration: https://jira.mongodb.org/browse/SERVER-12919

Generated at Thu Feb 08 03:24:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.