fix(NODE-5985): throw Nodejs' certificate expired error when TLS fails to connect instead of CERT_HAS_EXPIRED
#4014
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nbbeeken
added
the
Primary Review
nbbeeken
requested changes
Mar 5, 2024
baileympearson
changed the title
rejectUnauthorized special handling in connect()CERT_HAS_EXPIRED
nbbeeken
approved these changes
Mar 5, 2024
aditi-khare-mongoDB
added a commit
that referenced
this pull request
Mar 8, 2024
synced new test files added support for error response added api docs made MongoServerError.errorResponse required + casted resulting type errors test(NODE-5992): fix env var restoration in tests (#4017) refactor(NODE-5903): add newline to stdio logging (#4018) fix(NODE-5985): throw Nodejs' certificate expired error when TLS fails to connect instead of `CERT_HAS_EXPIRED` (#4014) test(NODE-5962): gossip cluster time in utr (#4019) chore(NODE-5997): update saslprep to ^1.1.5 (#4023) feat(NODE-5968): container and Kubernetes awareness in client metadata (#4005) fix(NODE-5993): memory leak in the `Connection` class (#4022) added TODO(NODE-XXXX)
This was referenced Jun 29, 2024
This was referenced Jul 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
What is changing?
When enabled,
rejectUnauthorizedconfigures Node's TLS API to reject / error when its unable to verify the certificates of the server. This is enabled by default. When the option is enabled and Node is unabled to verify the certificates of the server, an error event is emitted. In our connect logic, this means theconnectpromise rejects.Prior to #3973, the code removed in this PR was in the connect handler (called on successful TLS connection). This was dead code because we will never receive an error that is triggered by
rejectUnauthorizedand successfully connect. When #3973 refactoredconnect()to be async, we moved this logic into thecatchblock instead of thetryblock, so that it did run when an error occurred during TLS connection.The code throws
socket.authorizationErrorinstead of the caught error, which is a string value (https://nodejs.org/api/tls.html#tlssocketauthorizationerror). As a result, instead of throwing the error Nodejs gave us, we throw the authorization error property from the socket.Is there new documentation needed for these changes?
No.
What is the motivation for this change?
Release Highlight
Driver
6.3.0included an internal refactor to the driver's TLS connection logic that introduced logic that intercepted TLS connection errors. In certain situations, the driver would erroneously throw the TLS socket'sauthorizationErrorproperty instead of the error thrown from Nodejs' TLS API.This was observable in two ways:
certificate has expired, the driver threw an error with the messageCERT_HAS_EXPIREDcauseproperty set to a string instead of an error.The driver now correctly propagates TLS errors.
Double check the following
npm run check:lintscripttype(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript