Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-3141

Driver does not verify server identity by default

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0
    • Affects Version/s: 4.0.0
    • Component/s: Shell
    • Labels:
      None

      When connecting to a server using TLS, the Node Driver does not verify the identity of the server by default.

      This is caused by the code in the following location: https://github.com/mongodb/node-mongodb-native/blob/ee1a4d32ac95b7d143b08896bc486cfa8c2895a1/src/cmap/connect.ts#L250-L257

      This poses a potential security risk. A user can still skip the check by passing --tlsAllowInvalidCertificates or --tlsAllowInvalidHostnames.

      As matt.broadstone mentioned in Slack, it might be a cause for AWS test failures in CI - I'll just add that in here to maybe investigate, too!

            Assignee:
            neal.beeken@mongodb.com Neal Beeken
            Reporter:
            michael.rose@mongodb.com Michael Rose (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: