Merge pull request #1554 from dbussink/add-verify-identity

Add identify verification option for TLS

Author: sidorares

lib/connection.js

@@ -342,13 +342,19 @@ class Connection extends EventEmitter {
       minVersion: this.config.ssl.minVersion
     });
     const rejectUnauthorized = this.config.ssl.rejectUnauthorized;
+    const verifyIdentity = this.config.ssl.verifyIdentity;
+    const host = this.config.host;
+
     let secureEstablished = false;
     const secureSocket = new Tls.TLSSocket(this.stream, {
       rejectUnauthorized: rejectUnauthorized,
       requestCert: true,
       secureContext: secureContext,
       isServer: false
     });
+    if (typeof host === 'string') {
+      secureSocket.setServername(host);
+    }
     // error handler for secure socket
     secureSocket.on('_tlsError', err => {
       if (secureEstablished) {
@@ -359,7 +365,15 @@ class Connection extends EventEmitter {
     });
     secureSocket.on('secure', () => {
       secureEstablished = true;
-      onSecure(rejectUnauthorized ? secureSocket.ssl.verifyError() : null);
+      let callbackValue = null;
+      if (rejectUnauthorized) {
+        callbackValue = secureSocket.ssl.verifyError()
+        if (!callbackValue && typeof host === 'string' && verifyIdentity) {
+          const cert = secureSocket.ssl.getPeerCertificate(true);
+          callbackValue = Tls.checkServerIdentity(host, cert)
+        }
+      }
+      onSecure(callbackValue);
     });
     secureSocket.on('data', data => {
       this.packetParser.execute(data);

typings/mysql/lib/Connection.d.ts

@@ -227,6 +227,12 @@ declare namespace Connection {
          * Configure the minimum supported version of SSL, the default is TLSv1.2.
          */
         minVersion?: string;
+
+        /**
+         * You can verify the server name identity presented on the server certificate when connecting to a MySQL server.
+         * You should enable this but it is disabled by default right now for backwards compatibility.
+         */
+         verifyIdentity?: boolean;
     }
 }