Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.0.0
Affects Version/s: 4.0.0
Component/s: Shell
Labels:
None

Epic Link:
Shell GA Reqs
Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Link:
None
Goal Name(s):
None

When connecting to a server using TLS, the Node Driver does not verify the identity of the server by default.

This is caused by the code in the following location: https://github.com/mongodb/node-mongodb-native/blob/ee1a4d32ac95b7d143b08896bc486cfa8c2895a1/src/cmap/connect.ts#L250-L257

This poses a potential security risk. A user can still skip the check by passing --tlsAllowInvalidCertificates or --tlsAllowInvalidHostnames.

As matt.broadstone mentioned in Slack, it might be a cause for AWS test failures in CI - I'll just add that in here to maybe investigate, too!

is depended on by

MONGOSH-576 Add additional integration tests for X.509

Closed

Assignee:: Neal Beeken
Reporter:: Michael Rose (Inactive)
Reviewers:: None
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Mar 05 2021 10:59:12 AM UTC
Updated:: Oct 29 2023 01:41:53 PM UTC
Resolved:: Mar 22 2021 06:19:10 PM UTC