Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Won't Fix
Priority: Minor - P4
Fix Version/s: None
Affects Version/s: 2.2.24
Component/s: None
Labels:
- breaking
- external-user

Epic Link:
NODE-2120
Confidence Status:
None

Checklist:

Empty

show more show less

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.

Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).

var MongoClient = require('mongodb').MongoClient;

var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true";

var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true";

MongoClient.connect(url, function(err, db) {
  console.log("Connected to database");

  db.close();
});

related to

DRIVERS-124 Perform SSL server certificate validation in the drivers

Closed

NODE-29 SSL Validation support

Closed

DRIVERS-65 SSL certificate validation testing

Closed

NODE-1918 Node.js mongoDB driver documentation has incorrect default value for sslValidate

Closed

Assignee:: Unassigned

Reporter:: Christopher Chang

Reviewers:: None

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: Feb 25 2017 12:48:01 AM UTC

Updated:: Dec 23 2021 11:50:46 PM UTC

Resolved:: Apr 24 2020 06:04:48 PM UTC

Confidence Status Last Update:: 07/Sep/17 5:00 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates