diff --git a/jstests/libs/ssl_test.js b/jstests/libs/ssl_test.js index ae85ef8c4d7..bb990580a99 100644 --- a/jstests/libs/ssl_test.js +++ b/jstests/libs/ssl_test.js @@ -49,7 +49,7 @@ export function TLSTest(serverOpts, clientOpts) { TLSTest.prototype.defaultTLSClientOptions = { "tls": "", "tlsCertificateKeyFile": "jstests/libs/client.pem", - "tlsAllowInvalidCertificates": "", + "tlsCAFile": "jstests/libs/ca.pem", "eval": ";" // prevent the shell from entering interactive mode }; diff --git a/jstests/ssl/ssl_crl_revoked.js b/jstests/ssl/ssl_crl_revoked.js index 6921d69abe8..e7d87c4b620 100644 --- a/jstests/ssl/ssl_crl_revoked.js +++ b/jstests/ssl/ssl_crl_revoked.js @@ -16,7 +16,8 @@ requireSSLProvider(['openssl', 'windows'], function() { "--port", md.port, "--tls", - "--tlsAllowInvalidCertificates", + "--tlsCAFile", + "jstests/libs/ca.pem", "--tlsCertificateKeyFile", "jstests/libs/client_revoked.pem", "--eval", diff --git a/jstests/ssl/ssl_mongodb_x509.js b/jstests/ssl/ssl_mongodb_x509.js index a65f2f0936f..446d1a7485f 100644 --- a/jstests/ssl/ssl_mongodb_x509.js +++ b/jstests/ssl/ssl_mongodb_x509.js @@ -1,47 +1,5 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; - -var SERVER_CERT = "jstests/libs/server.pem"; -var CLIENT_CERT = "jstests/libs/client.pem"; -var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client"; - -jsTest.log("Assert x509 auth is not allowed when a standalone mongod is run without a CA file."); - -// allowTLS instead of requireTLS so that the non-SSL connection succeeds. -var conn = MongoRunner.runMongod({ - tlsMode: 'allowTLS', - tlsCertificateKeyFile: SERVER_CERT, - auth: '', - tlsCAFile: 'jstests/libs/ca.pem' -}); - -var external = conn.getDB('$external'); -external.createUser({ - user: CLIENT_USER, - roles: [ - {'role': 'userAdminAnyDatabase', 'db': 'admin'}, - {'role': 'readWriteAnyDatabase', 'db': 'admin'} - ] -}); - -// Should not be able to authenticate with x509. -// Authenticate call will return 1 on success, 0 on error. -var exitStatus = runMongoProgram('mongo', - '--tls', - '--tlsAllowInvalidCertificates', - '--tlsCertificateKeyFile', - CLIENT_CERT, - '--port', - conn.port, - '--eval', - ('quit(db.getSiblingDB("$external").auth({' + - 'user: "' + CLIENT_USER + '" ,' + - 'mechanism: "MONGODB-X509"}));')); - -jsTest.log("exitStatus: " + exitStatus); - -assert.eq(exitStatus, 0, "authentication via MONGODB-X509 without CA succeeded"); - -MongoRunner.stopMongod(conn); +import {SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js"; jsTest.log("Assert mongod doesn\'t start with CA file missing and clusterAuthMode=x509."); diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js index 66b7f4dadc2..205c2a3dfc6 100644 --- a/jstests/ssl/ssl_weak.js +++ b/jstests/ssl/ssl_weak.js @@ -12,7 +12,7 @@ var md = MongoRunner.runMongod({ }); var mongo = runMongoProgram( - "mongo", "--port", md.port, "--tls", "--tlsAllowInvalidCertificates", "--eval", ";"); + "mongo", "--port", md.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";"); // 0 is the exit code for success assert(mongo == 0); @@ -22,7 +22,8 @@ mongo = runMongoProgram("mongo", "--port", md.port, "--tls", - "--tlsAllowInvalidCertificates", + "--tlsCAFile", + "jstests/libs/ca.pem", "--tlsCertificateKeyFile", "jstests/libs/client.pem", "--eval", @@ -40,7 +41,7 @@ var md2 = MongoRunner.runMongod({ }); mongo = runMongoProgram( - "mongo", "--port", md2.port, "--tls", "--tlsAllowInvalidCertificates", "--eval", ";"); + "mongo", "--port", md2.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";"); // 1 is the exit code for failure assert(mongo == 1); diff --git a/jstests/ssl/upgrade_to_ssl.js b/jstests/ssl/upgrade_to_ssl.js index 70103db0211..ac2bc281c86 100644 --- a/jstests/ssl/upgrade_to_ssl.js +++ b/jstests/ssl/upgrade_to_ssl.js @@ -8,7 +8,7 @@ */ import {ReplSetTest} from "jstests/libs/replsettest.js"; -import {SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js"; +import {CA_CERT, SERVER_CERT} from "jstests/ssl/libs/ssl_helpers.js"; // "tlsAllowInvalidCertificates" is enabled to avoid hostname conflicts with our testing certs var opts = { @@ -46,6 +46,6 @@ assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet") // Check that ssl connections can be made var canConnectSSL = runMongoProgram( - "mongo", "--port", rst.ports[0], "--tls", "--tlsAllowInvalidCertificates", "--eval", ";"); + "mongo", "--port", rst.ports[0], "--tls", "--tlsCAFile", CA_CERT, "--eval", ";"); assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); rst.stopSet(); diff --git a/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js index e484c096fbe..1b8505f5d0f 100644 --- a/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js +++ b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js @@ -70,7 +70,8 @@ function upgradeWriteAndConnect(newOpts, str) { "--port", rst.ports[0], "--ssl", - "--tlsAllowInvalidCertificates", + "--tlsCAFile", + CA_CERT, "--tlsCertificateKeyFile", CLIENT_CERT, "--eval",