[SERVER-13014] CRL in jstest suite is expired Created: 03/Mar/14 Updated: 08/Sep/15 Resolved: 08/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Testing Infrastructure |
| Affects Version/s: | 2.6.0-rc0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Shaun Verch | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
The "crl_client_revoked.pem" file, which is the CRL we are using to test a revoked certificate is expired. This means the test was passing not because the certificate was successfully revoked, but because only the failure case was tested and the CRL was expired. Adding the following to the end of https://github.com/mongodb/mongo/blob/r2.6.0-rc0/jstests/ssl/ssl_crl_revoked.js causes the test to fail:
|
| Comments |
| Comment by Andreas Nilsson [ 08/Sep/15 ] |
|
The certificate has been replaced with a new one as part of the work with creating x509gen. |
| Comment by Eric Milkie [ 04/Mar/14 ] |
|
It turns out that the test is still working, sort of. OpenSSL still rejects revoked certificates, even if the CRL is expired. However, with valid certificates, it will not allow a successful validation with an expired CRL. You get different errors with the two scenarios – these errors both appear in the test log because smoke.py itself tries to connect to the mongod (connection fail due to expired CRL) and the test tries to connect to the mongod with a revoked certificate (connection fail due to revoked certificate). |
| Comment by Eric Milkie [ 04/Mar/14 ] |
|
Even with a non-expired CRL, the test will still fail if you change the last line to look for 0 as the exit code. |