Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-946

Not performing SSL server certificate validation

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Won't Fix
    • 2.2.24
    • None
    • None

    Description

      It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.

      Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).

      var MongoClient = require('mongodb').MongoClient;
       
      var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true";
       
      var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true";
       
      MongoClient.connect(url, function(err, db) {
        console.log("Connected to database");
       
        db.close();
      });
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              chrischang12 Christopher Chang
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: