fs2-io skips mTLS client verification

Impact

When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.

The vulnerability is limited to:

1. fs2-io running on Node.js. The JVM TLS implementation is completely independent.
2. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API.
3. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets.

It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.

Patches

A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised.

Workarounds

If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

References

• https://github.com/nodejs/node/issues/43994
• https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

For more information

If you have any questions or comments about this advisory:

• Open an issue.
• Contact the Typelevel Security Team.