fs2-io skips mTLS client verification

Main / fs2-io skips mTLS client verification

Discription

### Impact

When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds.

The vulnerability is limited to:
1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent.
2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API.
3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s.

It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.

### Patches

A patch is released in v3.2.11. The `requestCert = true` parameter is respected and the peer certificate is verified. If verification fails, a `SSLException` is raised.

### Workarounds

If using an unpatched version on Node.js, do not use a server-mode `TLSSocket` with `requestCert = true` to establish a mTLS connection.

### References
– https://github.com/nodejs/node/issues/43994
– https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

### For more information
If you have any questions or comments about this advisory:
* [Open an issue.](https://github.com/typelevel/fs2/issues/new/choose)
* Contact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).Read More

References

Back to Main

Subscribe for the latest news: