SERVER-103806 Prefer using a CA file over tlsAllowInvalidCertificates for mongo clients in ssl tests (#35113)

GitOrigin-RevId: 53279ac1d56ad975ae6f407701e34de8cde84a12
2025-04-16 17:25:42 -04:00 · 2025-04-16 17:25:42 -04:00 · 4622dc8889
parent b2eb8c7bdf
commit 4622dc8889
6 changed files with 12 additions and 51 deletions
--- a/jstests/libs/ssl_test.js
+++ b/jstests/libs/ssl_test.js
@ -49,7 +49,7 @@ export function TLSTest(serverOpts, clientOpts) {
 TLSTest.prototype.defaultTLSClientOptions = {
    "tls": "",
    "tlsCertificateKeyFile": "jstests/libs/client.pem",
-    "tlsAllowInvalidCertificates": "",
+    "tlsCAFile": "jstests/libs/ca.pem",
    "eval": ";"  // prevent the shell from entering interactive mode
 };

--- a/jstests/ssl/ssl_crl_revoked.js
+++ b/jstests/ssl/ssl_crl_revoked.js
@ -16,7 +16,8 @@ requireSSLProvider(['openssl', 'windows'], function() {
                                "--port",
                                md.port,
                                "--tls",
-                                "--tlsAllowInvalidCertificates",
+                                "--tlsCAFile",
+                                "jstests/libs/ca.pem",
                                "--tlsCertificateKeyFile",
                                "jstests/libs/client_revoked.pem",
                                "--eval",
--- a/jstests/ssl/ssl_mongodb_x509.js
+++ b/jstests/ssl/ssl_mongodb_x509.js
@ -1,47 +1,5 @@
 import {ReplSetTest} from "jstests/libs/replsettest.js";
-
-var SERVER_CERT = "jstests/libs/server.pem";
-var CLIENT_CERT = "jstests/libs/client.pem";
-var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client";
-
-jsTest.log("Assert x509 auth is not allowed when a standalone mongod is run without a CA file.");
-
-// allowTLS instead of requireTLS so that the non-SSL connection succeeds.
-var conn = MongoRunner.runMongod({
-    tlsMode: 'allowTLS',
-    tlsCertificateKeyFile: SERVER_CERT,
-    auth: '',
-    tlsCAFile: 'jstests/libs/ca.pem'
-});
-
-var external = conn.getDB('$external');
-external.createUser({
-    user: CLIENT_USER,
-    roles: [
-        {'role': 'userAdminAnyDatabase', 'db': 'admin'},
-        {'role': 'readWriteAnyDatabase', 'db': 'admin'}
-    ]
-});
-
-// Should not be able to authenticate with x509.
-// Authenticate call will return 1 on success, 0 on error.
-var exitStatus = runMongoProgram('mongo',
-                                 '--tls',
-                                 '--tlsAllowInvalidCertificates',
-                                 '--tlsCertificateKeyFile',
-                                 CLIENT_CERT,
-                                 '--port',
-                                 conn.port,
-                                 '--eval',
-                                 ('quit(db.getSiblingDB("$external").auth({' +
-                                  'user: "' + CLIENT_USER + '" ,' +
-                                  'mechanism: "MONGODB-X509"}));'));
-
-jsTest.log("exitStatus: " + exitStatus);
-
-assert.eq(exitStatus, 0, "authentication via MONGODB-X509 without CA succeeded");
-
-MongoRunner.stopMongod(conn);
+import {SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js";

 jsTest.log("Assert mongod doesn\'t start with CA file missing and clusterAuthMode=x509.");

--- a/jstests/ssl/ssl_weak.js
+++ b/jstests/ssl/ssl_weak.js
@ -12,7 +12,7 @@ var md = MongoRunner.runMongod({
 });

 var mongo = runMongoProgram(
-    "mongo", "--port", md.port, "--tls", "--tlsAllowInvalidCertificates", "--eval", ";");
+    "mongo", "--port", md.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";");

 // 0 is the exit code for success
 assert(mongo == 0);
@ -22,7 +22,8 @@ mongo = runMongoProgram("mongo",
                        "--port",
                        md.port,
                        "--tls",
-                        "--tlsAllowInvalidCertificates",
+                        "--tlsCAFile",
+                        "jstests/libs/ca.pem",
                        "--tlsCertificateKeyFile",
                        "jstests/libs/client.pem",
                        "--eval",
@ -40,7 +41,7 @@ var md2 = MongoRunner.runMongod({
 });

 mongo = runMongoProgram(
-    "mongo", "--port", md2.port, "--tls", "--tlsAllowInvalidCertificates", "--eval", ";");
+    "mongo", "--port", md2.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";");

 // 1 is the exit code for failure
 assert(mongo == 1);
--- a/jstests/ssl/upgrade_to_ssl.js
+++ b/jstests/ssl/upgrade_to_ssl.js
@ -8,7 +8,7 @@
 */

 import {ReplSetTest} from "jstests/libs/replsettest.js";
-import {SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js";
+import {CA_CERT, SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js";

 // "tlsAllowInvalidCertificates" is enabled to avoid hostname conflicts with our testing certs
 var opts = {
@ -46,6 +46,6 @@ assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet")

 // Check that ssl connections can be made
 var canConnectSSL = runMongoProgram(
-    "mongo", "--port", rst.ports[0], "--tls", "--tlsAllowInvalidCertificates", "--eval", ";");
+    "mongo", "--port", rst.ports[0], "--tls", "--tlsCAFile", CA_CERT, "--eval", ";");
 assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed");
 rst.stopSet();
--- a/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js
+++ b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js
@ -70,7 +70,8 @@ function upgradeWriteAndConnect(newOpts, str) {
                              "--port",
                              rst.ports[0],
                              "--ssl",
-                              "--tlsAllowInvalidCertificates",
+                              "--tlsCAFile",
+                              CA_CERT,
                              "--tlsCertificateKeyFile",
                              CLIENT_CERT,
                              "--eval",