Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specifying rejectUnauthorized=true and verifyIdentity=false, unreachable code #2375

Closed
juanheyns opened this issue Jan 17, 2024 · 3 comments · Fixed by #2376
Closed

Specifying rejectUnauthorized=true and verifyIdentity=false, unreachable code #2375

juanheyns opened this issue Jan 17, 2024 · 3 comments · Fixed by #2376

Comments

@juanheyns
Copy link
Contributor

juanheyns commented Jan 17, 2024

When I specify rejectUnauthorized=true and verifyIdentity=false, I still get an error:

Hostname/IP does not match certificate's altnames: ...

So it seems like verifyIdentity does not have any effect. Looking at the code it seems like lib/connection.js line 372 is unreachable:

https://github.com/sidorares/node-mysql2/blob/1d983fa46031a77c689faea5f69e6e0baa1b3de7/lib/connection.js#L372C19-L372C19

      const ca = readFileSync(path.join(__dirname, `/ssl-ca/amazon-root-ca-1.pem`)).toString() // RDS Proxy
      
      pool = await createConnection({
        host,
        user,
        password,
        database,
        port,
        ssl: {
          ca,
          rejectUnauthorized: true,
          verifyIdentity: false
        }
      })
@juanheyns
Copy link
Contributor Author

Same issue have been reported here:
#2119 (comment)

@Daemos87
Copy link

Hi guys,

Did anyone knows any temporary workaround to make this scenario work until the related or get merged and released?

Thanks in advance

@juanheyns
Copy link
Contributor Author

Hi guys,

Did anyone knows any temporary workaround to make this scenario work until the related or get merged and released?

Thanks in advance

You can set rejectUnauthorized=false ; in most cases this is unacceptable though.

If you are creating a CNAME dns entry to an RDS server / RDS proxy - you could also resolve the CNAME to the original DNS entry:

import { resolveCname } from 'dns/promises'

//...
      const originalHostname = (await resolveCname(alias))[0]
      // create mysql connection

This is also not ideal since it adds unnecessary requests to DNS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants