[SERVER-13014] CRL in jstest suite is expired Created: 03/Mar/14  Updated: 08/Sep/15  Resolved: 08/Sep/15

Status: Closed
Project: Core Server
Component/s: Security, Testing Infrastructure
Affects Version/s: 2.6.0-rc0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Shaun Verch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

The "crl_client_revoked.pem" file, which is the CRL we are using to test a revoked certificate is expired. This means the test was passing not because the certificate was successfully revoked, but because only the failure case was tested and the CRL was expired.

Adding the following to the end of https://github.com/mongodb/mongo/blob/r2.6.0-rc0/jstests/ssl/ssl_crl_revoked.js causes the test to fail:

mongo = runMongoProgram("mongo", "--port", port, "--ssl",
                        "--sslPEMKeyFile", "jstests/libs/client.pem",
                        "--eval", ";");
 
// 0 is the exit code for the shell connecting successfully
assert(mongo==0);



 Comments   
Comment by Andreas Nilsson [ 08/Sep/15 ]

The certificate has been replaced with a new one as part of the work with creating x509gen.

Comment by Eric Milkie [ 04/Mar/14 ]

It turns out that the test is still working, sort of. OpenSSL still rejects revoked certificates, even if the CRL is expired. However, with valid certificates, it will not allow a successful validation with an expired CRL. You get different errors with the two scenarios – these errors both appear in the test log because smoke.py itself tries to connect to the mongod (connection fail due to expired CRL) and the test tries to connect to the mongod with a revoked certificate (connection fail due to revoked certificate).

Comment by Eric Milkie [ 04/Mar/14 ]

Even with a non-expired CRL, the test will still fail if you change the last line to look for 0 as the exit code.

Generated at Thu Feb 08 03:30:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.