Context

wrapConnectionError in topology.connection (added in GODRIVER-3646, PR #2330) labels connection-establishment errors with SystemOverloadedError, RetryableError, and NetworkError per the CMAP spec. The deny-list currently excludes only DNS errors and three specific x509 cert verification types.

CMAP says:

For errors that the driver can distinguish as never occurring due to server overload, such as DNS lookup failures, non-I/O TLS errors (e.g., certificate validation or hostname-mismatch failures), or errors encountered while establishing a connection to a SOCKS5 proxy, the driver MUST NOT add backpressure error labels for these error types.

The "e.g." opens the "non-I/O TLS errors" category beyond cert validation. Protocol-level TLS failures where the peer actively rejects the handshake (fatal alert, malformed record header) are also non-I/O TLS errors and should be excluded. The current implementation labels them as overload, which causes Server.ProcessHandshakeError to skip pool clearing when it shouldn't: leaving a misconfigured / wrong-protocol server marked healthy in SDAM.

Detailed steps to reproduce the problem?

https://github.com/prestonvasquez/go-playground/blob/b98ea7e23ff25346f68cc1971f68a957617ccbbe/mgd_backpressure_test.go#L153

Definition of done: what must be done to consider the task complete?

Add a branch to match tls.RecordHeaderError to the root error's error tree. Consider creating a guard to tls.AlertError (Go 1.21+), but this will require string matching. Be sure to add test coverage to all error types.

Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.

test containers on latest server version supported by docker using replica set toplogy.

The exact Go version used, with patch level:

go1.25.5 darwin/arm64

The exact version of the Go driver used:

master

Security Vulnerabilities

NA