mirror of https://github.com/mongodb/mongo
SERVER-94747 OCSP test enhancements (#38783)
GitOrigin-RevId: 74e1f27e6aaa6d399b790e28b95db97043355be8
This commit is contained in:
Chye Lin Chee
MongoDB Bot
parent
e800e0a738
commit
7912edcb44
|
|
@ -864,6 +864,9 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
|
|||
# The following patterns are parsed from ./jstests/libs/index_builds/OWNERS.yml
|
||||
/jstests/libs/index_builds/**/* @10gen/server-index-builds @svc-auto-approve-bot
|
||||
|
||||
# The following patterns are parsed from ./jstests/libs/ocsp/OWNERS.yml
|
||||
/jstests/libs/ocsp/**/* @10gen/server-security @svc-auto-approve-bot
|
||||
|
||||
# The following patterns are parsed from ./jstests/libs/override_methods/OWNERS.yml
|
||||
/jstests/libs/override_methods/**/*golden_overrides.js @10gen/query-optimization @svc-auto-approve-bot
|
||||
/jstests/libs/override_methods/**/*changestream* @10gen/query-execution-change-streams @svc-auto-approve-bot
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ executor:
|
|||
config:
|
||||
shell_options:
|
||||
nodb: ""
|
||||
ssl: ""
|
||||
tls: ""
|
||||
tlsCAFile: jstests/libs/ocsp/ca_ocsp.pem
|
||||
tlsCertificateKeyFile: jstests/libs/ocsp/client_ocsp.pem
|
||||
sslAllowInvalidHostnames: ""
|
||||
tlsAllowInvalidHostnames: ""
|
||||
setShellParameter: ocspEnabled=true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
version: 1.0.0
|
||||
filters:
|
||||
- "*":
|
||||
approvers:
|
||||
- 10gen/server-security
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDyDCCArCgAwIBAgIEN8i9NDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||
IFRlc3QgQ0EwHhcNMjUwNzE0MTkyOTQwWhcNMjcxMDE2MTkyOTQwWjBiMRAwDgYD
|
||||
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
|
||||
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh7AJPWf1MbLsF9VMvZQ55UV/0
|
||||
wWh0I8Gms8XjRNyQrxDyGR0fivMfWBMtjCIhU5nzYfBmwgBXTvU/OzvEwXEvOIAZ
|
||||
5wdkdOI//dpBZDBQr6tMuAAEwBrJIPLXySQOJaBsNIBSKiK7QklxRx3mlDsiAmyl
|
||||
9JRpSzzGw7Jjvydz1cLAuldsfRQeO6N9SoKDbiNNZ7xA+6Vl+fzn20sCT0APSAR4
|
||||
ws36NGUmsNryiePc/YEnCaQg++VO4vwMLN4OqLlYWY1QzqMpInd42nSepB0LG1bD
|
||||
vOLE9HxC5k4XcVDq2oZfSL6vcuNfvJ34i++AK44Z2l8V7eZMdUKKtf5L3IprAgMB
|
||||
AAGjdDByMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
|
||||
BwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUy8SmG22ofeSxPrLfUE7eFIyvQKYwGgYD
|
||||
VR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCy1EWL
|
||||
Br8MI3XfqIBkihyxYE0wKw9dFdLR3HfVYWHKQxdtm8GN7b2tBj9lvQ/4TcYFspgX
|
||||
XfTqEsq8p5nyLJWbNov6sbruaWbRlKkgpWxicvN5OTVolFz3fB2G71RaFw+6RYrN
|
||||
jiPPYdvouQX043PaiMVn/DrjiDYL1iwjswOKc30qdB2N6H/xAdjQWVNB2mCE2oWk
|
||||
dOXxHAPQCzRShWTfR33n/jHARkJ1uMq8X6pUzPSxfKKD0LKgMT0ZedbkgG+xeohP
|
||||
pE/E8aigNblXGxbcEDgHHF22OKSV9pbpzeLrYX6LuNoTI7J/M6X41VlqfDC9H7oC
|
||||
jemdE7F9lmFGEptr
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCh7AJPWf1MbLsF
|
||||
9VMvZQ55UV/0wWh0I8Gms8XjRNyQrxDyGR0fivMfWBMtjCIhU5nzYfBmwgBXTvU/
|
||||
OzvEwXEvOIAZ5wdkdOI//dpBZDBQr6tMuAAEwBrJIPLXySQOJaBsNIBSKiK7Qklx
|
||||
Rx3mlDsiAmyl9JRpSzzGw7Jjvydz1cLAuldsfRQeO6N9SoKDbiNNZ7xA+6Vl+fzn
|
||||
20sCT0APSAR4ws36NGUmsNryiePc/YEnCaQg++VO4vwMLN4OqLlYWY1QzqMpInd4
|
||||
2nSepB0LG1bDvOLE9HxC5k4XcVDq2oZfSL6vcuNfvJ34i++AK44Z2l8V7eZMdUKK
|
||||
tf5L3IprAgMBAAECggEAJrS18KYASK6NHmWAVwn/JbzwBR/eijSp6+F5YlRprSRM
|
||||
FrMuJQYgC9QP8YlX90N2v5kf0FB7qGM1eMH+DZB4L+N/q7FwMPFHzCgwbgU3D3KO
|
||||
ri4lwvzw6jc4FaD9P2x7JqJ+MiXkW4MC71MisKWqZPzTX/BRMcJMau8Iy5M8KRIE
|
||||
TF2pNu2N3gITGNWCUqKT1Qa4l/QYTRfmKuBlzMnUPfbJn7wzqClhpUOQw/k16Wzg
|
||||
rPITPpqWobLs3mE7cPHGFYV+Uaikq+pKlI8dZ0CniGM/AoXBQmxXR0ei4lNJj204
|
||||
ZqJMvTR4ToGfEXFm1KI/3Zb7QBTOoU2KY9X8wKDuUQKBgQDgIfJTs/bZ070f+9cO
|
||||
QEDlOKy3r5dzpJmnL5L+gdjRHz7D659kY+Ul0KZisGu6P/ksDzLzrzTGmasbctNq
|
||||
tHQRAKNNIltSeaQuwZQagWHH73ttHboKz7pIW5e/Gmu42GhTq1roRacwVs0UYIf5
|
||||
3kopDf+kjsDiLcFaIgWfZ8wDvQKBgQC48bJiwEpGhXQzYvsygN24Dr2bH751Y2EA
|
||||
JSNCQL0CmXGtu/EwlVhFVs40BnkefbHGgN35aazje6Ov0NebYp4r9yzsK1R1LrWj
|
||||
wTcXC1kqHR2FOEBrpWQjkZD/tcWSRo++4R39HfxfBo0SpU845E5IpeeXea1Y/nFO
|
||||
c/2nkO0VRwKBgQDBLqE2YgwnLeh589AluV319EZyQEdy5nGFd2zkLrjZbmvj5GfK
|
||||
2Is+b7upnlQMAW3b+vG4tc/wSa0AiJUPCKBtszYNmspJqQzJPBJSUigccx7YKuIa
|
||||
xXbTPRbrIXOtq+EoFK7TOo3jDT3QDW/F/0G+ZxFsHZrEmBlqfZ6JCab/pQKBgGnn
|
||||
PVb+9YlcciXa0C0jTdNP3ZMuoklmFu2WVpJhr9oFM+tga8R+QIW0J2/zJPgo0dvx
|
||||
fyqLMM0yx5Ct7ki0OA7FA5xZU4umq6yRv5IalXxgH79hbsI1expDCNzkobYZYcbT
|
||||
8fA3c4SWo8HBl5PkaE+BcRR0QKdtTES4ds+1VY2RAoGAepT3VbWdI0Y2xhMidqwz
|
||||
JSUVmEc8lTbEo4HBL9i1753SY2a24hBf3ZBsZwtFZ5AWY/hk2jJ3r37ryvjwXuiY
|
||||
NrXvmSt6SreY3ix7O6sHNJgCjzLeykjttSM1nkSELndVNihjWxo2J2Li6bhG4kAG
|
||||
HDXZdM/BV9bJyqEV9/WpU7Y=
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1 @@
|
|||
135F82A6725ABEC8C12A4744A5ED7EBCFC0424B0
|
||||
|
|
@ -0,0 +1 @@
|
|||
52FCA911627B18AC6CF7BC0E36CE3BE1D284B90007D962BBCB68A7CC42E0FD6E
|
||||
|
|
@ -11,6 +11,7 @@ export const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key";
|
|||
export const CLUSTER_CA_CERT = "jstests/libs/ca.pem";
|
||||
export const CLUSTER_KEY = "jstests/libs/server.pem";
|
||||
export const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem";
|
||||
export const OCSP_NO_OCSP_SERVER_CERT = "jstests/libs/ocsp/server_no_ocsp.pem";
|
||||
export const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem";
|
||||
export const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem";
|
||||
export const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem";
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ import {
|
|||
import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
|
||||
|
||||
var ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
@ -39,7 +39,7 @@ mock_ocsp.stop();
|
|||
// We need to test different certificates for revoked and not
|
||||
// revoked on OSX, so we may as well run this test on all platforms.
|
||||
Object.extend(ocsp_options, {waitForConnect: false});
|
||||
ocsp_options.sslPEMKeyFile = OCSP_SERVER_CERT_REVOKED;
|
||||
ocsp_options.tlsCertificateKeyFile = OCSP_SERVER_CERT_REVOKED;
|
||||
|
||||
print("Restarting MockOCSPServer with FAULT_REVOKED option");
|
||||
mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1);
|
||||
|
|
@ -72,7 +72,7 @@ clearOCSPCache();
|
|||
sleep(1000);
|
||||
|
||||
// Test that soft fail works.
|
||||
ocsp_options.sslPEMKeyFile = OCSP_SERVER_CERT;
|
||||
ocsp_options.tlsCertificateKeyFile = OCSP_SERVER_CERT;
|
||||
|
||||
assert.doesNotThrow(() => {
|
||||
conn = MongoRunner.runMongod(ocsp_options);
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@ function test(serverCert, caCert, responderCertPair) {
|
|||
clearOCSPCache();
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: serverCert,
|
||||
sslCAFile: caCert,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: serverCert,
|
||||
tlsCAFile: caCert,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ if (determineSSLProvider() !== "openssl") {
|
|||
|
||||
const mongodOptions = (connectionHealthLoggingOn) => {
|
||||
return {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
|
|||
|
|
@ -21,10 +21,10 @@ ReplSetTest.kDefaultTimeoutMS = 1 * 30 * 1000;
|
|||
MongoRunner.runHangAnalyzer.disable();
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -43,10 +43,10 @@ function testClient(serverCert, caCert, responderCertPair, issuerDigest) {
|
|||
new MockOCSPServer("", 1, responderCertPair, 0, INCLUDE_EXTRA_STATUS, issuerDigest);
|
||||
|
||||
let ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: serverCert,
|
||||
sslCAFile: caCert,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: serverCert,
|
||||
tlsCAFile: caCert,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
@ -97,10 +97,10 @@ function testStapling(serverCert, caCert, responderCertPair, issuerDigest) {
|
|||
new MockOCSPServer("", 32400, responderCertPair, 0, INCLUDE_EXTRA_STATUS, issuerDigest);
|
||||
|
||||
let ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: serverCert,
|
||||
sslCAFile: caCert,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: serverCert,
|
||||
tlsCAFile: caCert,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -44,9 +44,9 @@ ReplSetTest.kDefaultTimeoutMS = 2 * 60 * 1000;
|
|||
MongoRunner.runHangAnalyzer.disable();
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT_INVALID,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT_INVALID,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
"tlsOCSPStaplingTimeoutSecs": 1,
|
||||
|
|
|
|||
|
|
@ -17,10 +17,10 @@ let mock_ocsp = new MockOCSPServer();
|
|||
mock_ocsp.start();
|
||||
|
||||
let ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@ let conn = null;
|
|||
mock_ocsp.start();
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
@ -51,7 +51,7 @@ MongoRunner.stopMongod(conn);
|
|||
// ====== TEST 2
|
||||
jsTestLog("Test server is not stapling the response");
|
||||
|
||||
ocsp_options.sslPEMKeyFile = OCSP_SERVER_MUSTSTAPLE_CERT;
|
||||
ocsp_options.tlsCertificateKeyFile = OCSP_SERVER_MUSTSTAPLE_CERT;
|
||||
ocsp_options.waitForConnect = false;
|
||||
|
||||
conn = MongoRunner.runMongod(ocsp_options);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,64 @@
|
|||
// Check that attempt at OCSP verification when the OCSP server is not running. The
|
||||
// MongoDB server should not throw an exception. The MongoDB server should also
|
||||
// correctly handle transitioning from certificates with OCSP to ones without
|
||||
// @tags: [
|
||||
// requires_http_client,
|
||||
// ]
|
||||
|
||||
import {assertCreateCollection} from "jstests/libs/collection_drop_recreate.js";
|
||||
import {
|
||||
clearOCSPCache,
|
||||
OCSP_CA_PEM,
|
||||
OCSP_NO_OCSP_SERVER_CERT,
|
||||
OCSP_SERVER_CERT
|
||||
} from "jstests/ocsp/lib/ocsp_helpers.js";
|
||||
import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js";
|
||||
|
||||
// dataDir is defined in jstest.py
|
||||
const dbPath = MongoRunner.toRealDir("$dataDir");
|
||||
mkdir(dbPath);
|
||||
const serverCertificatePath = dbPath + "/server_test.pem";
|
||||
|
||||
var ocsp_options = {
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: serverCertificatePath,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
};
|
||||
|
||||
// Start with the OCSP-enabled server certificate
|
||||
copyCertificateFile(OCSP_SERVER_CERT, serverCertificatePath);
|
||||
|
||||
var mongod = null;
|
||||
|
||||
assert.doesNotThrow(() => {
|
||||
// Start the Mongo server without the mock OCSP server, but with ocspEnabled=true.
|
||||
// The server uses a certificate with the following X509v3 extension:
|
||||
// Authority Information Access:
|
||||
// OCSP -
|
||||
// URI: http: // localhost:8100/status
|
||||
// We expect the server to continue working as usual and should not crash
|
||||
mongod = MongoRunner.runMongod(ocsp_options);
|
||||
});
|
||||
|
||||
// Insert some data
|
||||
const dbName = jsTestName();
|
||||
const collName = jsTestName();
|
||||
const testDB = mongod.getDB(dbName);
|
||||
assertCreateCollection(testDB, collName);
|
||||
const coll = testDB.getCollection(collName);
|
||||
assert.commandWorked(coll.insert({"_id": 1, "title": "employee"}));
|
||||
|
||||
// Rotate to a certificate without OCSP
|
||||
copyCertificateFile(OCSP_NO_OCSP_SERVER_CERT, serverCertificatePath);
|
||||
|
||||
assert.doesNotThrow(() => {
|
||||
const success = mongod.adminCommand({rotateCertificates: 1}).ok;
|
||||
});
|
||||
|
||||
// Try inserting more data to ensure mongod continues to work with the new
|
||||
// certificate
|
||||
assert.commandWorked(coll.insert({"_id": 2, "title": "contractor"}));
|
||||
|
||||
MongoRunner.stopMongod(mongod);
|
||||
|
||||
clearOCSPCache();
|
||||
|
|
@ -19,10 +19,10 @@ const RESPONSE_VALIDITY = 5; // seconds
|
|||
const mock_ocsp = new MockOCSPServer("", RESPONSE_VALIDITY);
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
@ -46,7 +46,7 @@ MongoRunner.stopMongod(conn);
|
|||
|
||||
// ====== TEST 2
|
||||
jsTestLog("Test fetcher can recover on transient outages of the mock responder");
|
||||
ocsp_options.sslPEMKeyFile = OCSP_SERVER_MUSTSTAPLE_CERT;
|
||||
ocsp_options.tlsCertificateKeyFile = OCSP_SERVER_MUSTSTAPLE_CERT;
|
||||
ocsp_options.waitForConnect = false;
|
||||
|
||||
conn = MongoRunner.runMongod(ocsp_options);
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ function tryRotate(fault) {
|
|||
}
|
||||
|
||||
mongod = MongoRunner.runMongod(
|
||||
{sslMode: "requireSSL", sslPEMKeyFile: OCSP_SERVER_CERT, sslCAFile: OCSP_CA_PEM});
|
||||
{tlsMode: "requireTLS", tlsCertificateKeyFile: OCSP_SERVER_CERT, tlsCAFile: OCSP_CA_PEM});
|
||||
|
||||
// Positive: test with positive OCSP response
|
||||
assert(tryRotate());
|
||||
|
|
|
|||
|
|
@ -19,10 +19,10 @@ let mock_ocsp = new MockOCSPServer("", 20);
|
|||
mock_ocsp.start();
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
},
|
||||
|
|
@ -99,10 +99,10 @@ MongoRunner.stopMongod(conn);
|
|||
// Make sure that the refresh period is set to a very large value so that we can
|
||||
// make sure that the period defined by the mock OCSP responder overrides it.
|
||||
let ocsp_options_high_refresh = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
"ocspStaplingRefreshPeriodSecs": 300000,
|
||||
|
|
|
|||
|
|
@ -11,10 +11,10 @@ if (determineSSLProvider() === "apple") {
|
|||
}
|
||||
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_CERT,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_CERT,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
|
|||
|
|
@ -10,10 +10,10 @@ if (determineSSLProvider() !== "windows") {
|
|||
}
|
||||
|
||||
var ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
|
||||
"ocspEnabled": "true",
|
||||
|
|
|
|||
|
|
@ -33,10 +33,10 @@ const CLUSTER_CA = {
|
|||
|
||||
function test(serverCert, caCert, responderCertPair, extraOpts) {
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: serverCert,
|
||||
sslCAFile: caCert,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: serverCert,
|
||||
tlsCAFile: caCert,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspStaplingRefreshPeriodSecs": 500,
|
||||
"ocspEnabled": "true",
|
||||
|
|
@ -110,10 +110,10 @@ function test(serverCert, caCert, responderCertPair, extraOpts) {
|
|||
|
||||
function testSuperLongOCSPResponseNextUpdateTime() {
|
||||
const ocsp_options = {
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_CERT,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_CERT,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
setParameter: {
|
||||
"ocspEnabled": "true",
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,10 +16,10 @@ const logPath = MongoRunner.dataPath + "mongod.log";
|
|||
|
||||
const ocsp_options = {
|
||||
logpath: logPath,
|
||||
sslMode: "requireSSL",
|
||||
sslPEMKeyFile: OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
|
||||
sslCAFile: OCSP_CA_PEM,
|
||||
sslAllowInvalidHostnames: "",
|
||||
tlsMode: "requireTLS",
|
||||
tlsCertificateKeyFile: OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
|
||||
tlsCAFile: OCSP_CA_PEM,
|
||||
tlsAllowInvalidHostnames: "",
|
||||
waitForConnect: false,
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -549,6 +549,26 @@ certs:
|
|||
keyUsage: [digitalSignature, keyEncipherment]
|
||||
extendedKeyUsage: [serverAuth, clientAuth]
|
||||
|
||||
- name: "server_no_ocsp.pem"
|
||||
description: >-
|
||||
Non-OCSP certificate for the mongodb server using the OCSP CA.
|
||||
Subject:
|
||||
CN: "localhost"
|
||||
C: US
|
||||
ST: NY
|
||||
L: OCSP-1
|
||||
Issuer: "ca_ocsp.pem"
|
||||
include_header: false
|
||||
output_path: "jstests/libs/ocsp/"
|
||||
extensions:
|
||||
basicConstraints: {CA: false}
|
||||
subjectAltName:
|
||||
DNS: localhost
|
||||
IP: 127.0.0.1
|
||||
subjectKeyIdentifier: hash
|
||||
keyUsage: [digitalSignature, keyEncipherment]
|
||||
extendedKeyUsage: [serverAuth, clientAuth]
|
||||
|
||||
- name: "server_ocsp_invalid.pem"
|
||||
description: >-
|
||||
An expired OCSP certificate for the mongodb server.
|
||||
|
|
|
|||
Loading…
Reference in New Issue