[SERVER-74306] Add more comprehensive integration testing of TLS certificate validation Created: 23/Feb/23  Updated: 23/Feb/23

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Erwin Pe Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

The current state of the SSL integration tests are lacking when it comes to testing the expected behavior of the server with various combinations of TLS options.

For instance, there should be tests (both negative and positive) to verify that client certificate validation works as expected when the server is configured with 1. only the CAFile, 2. only the clusterCAFile, and 3. with both CAFile and clusterCAFile. If neither CAFile nor clusterCAFile is provided, we need to have a test to ensure that a proper startup warning is emitted in the logs, and that client certificates using bad certificates can indeed connect to the server.

We should also have a test to verify the cases when the server uses the system CA store to validate ingress connections. For example, in Windows, specifying a certificateSelector or clusterCertificateSelector without specifying a CA PEM file, will cause the server to use the system CA store to validate client certificates.


Generated at Thu Feb 08 06:27:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.