Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-946

Not performing SSL server certificate validation

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Won't Fix
    • Affects Version/s: 2.2.24
    • Fix Version/s: None
    • Component/s: None

      Description

      It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.

      Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).

      var MongoClient = require('mongodb').MongoClient;
       
      var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true";
       
      var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true";
       
      MongoClient.connect(url, function(err, db) {
        console.log("Connected to database");
       
        db.close();
      });
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              chrischang12 Christopher Chang
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: