-
Type: Improvement
-
Resolution: Won't Fix
-
Priority: Minor - P4
-
None
-
Affects Version/s: 2.2.24
-
Component/s: None
-
Empty show more show less
It appears that the Node driver is not properly performing SSL server certificate validation. Per https://jira.mongodb.org/browse/DRIVERS-124: drivers should by default refuse to connect to servers that present certificates that do not match the host name that the client tried to connect to.
Connecting with "url" should succeed and "ipUrl" should fail, but both succeed. I also tested with the Java and Python drivers and using ip addresses fails. You can reproduce with the following script (with the db user and pass provided).
var MongoClient = require('mongodb').MongoClient; var url = "mongodb://foo:bar@ds015564-a0.sjf52.fleet.mongolab.com:15564,ds015564-a1.sjf52.fleet.mongolab.com:15564/test?replicaSet=rs-ds015564&ssl=true"; var ipUrl = "mongodb://foo:bar@54.161.72.61:15564,54.204.126.162:15564/test?replicaSet=rs-ds015564&ssl=true"; MongoClient.connect(url, function(err, db) { console.log("Connected to database"); db.close(); });
- related to
-
DRIVERS-124 Perform SSL server certificate validation in the drivers
- Closed
-
NODE-29 SSL Validation support
- Closed
-
DRIVERS-65 SSL certificate validation testing
- Closed
-
NODE-1918 Node.js mongoDB driver documentation has incorrect default value for sslValidate
- Closed