Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-946

Not performing SSL server certificate validation

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 2.2.24
    • Component/s: None

      It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.

      Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).

      var MongoClient = require('mongodb').MongoClient;

var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true";

var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true";

MongoClient.connect(url, function(err, db) {
  console.log("Connected to database");

  db.close();
});

            Assignee:
            Unassigned Unassigned
            Reporter:
            chrischang12 Christopher Chang
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: