[NODE-946] Not performing SSL server certificate validation - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor - P4
Resolution: Won't Fix
Affects Version/s: 2.2.24
Fix Version/s: None
Component/s: None
Labels:
- breaking
- external-user

Epic Link:
Node V4 Beta

Checklist:

Empty

show more show less

Description

It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.

Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).

var MongoClient = require('mongodb').MongoClient;

var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true";

var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true";

MongoClient.connect(url, function(err, db) {

  console.log("Connected to database");

  db.close();

});

Attachments

Issue Links

related to

DRIVERS-124 Perform SSL server certificate validation in the drivers

Closed

NODE-29 SSL Validation support

Closed

DRIVERS-65 SSL certificate validation testing

Closed

NODE-1918 Node.js mongoDB driver documentation has incorrect default value for sslValidate

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Christopher Chang

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: Feb 25 2017 12:48:01 AM UTC

Updated:: Dec 23 2021 11:50:46 PM UTC

Resolved:: Apr 24 2020 06:04:48 PM UTC