diff --git a/lib/connection.js b/lib/connection.js index e2720be078..c2b73248b1 100644 --- a/lib/connection.js +++ b/lib/connection.js @@ -342,6 +342,9 @@ class Connection extends EventEmitter { minVersion: this.config.ssl.minVersion }); const rejectUnauthorized = this.config.ssl.rejectUnauthorized; + const verifyIdentity = this.config.ssl.verifyIdentity; + const host = this.config.host; + let secureEstablished = false; const secureSocket = new Tls.TLSSocket(this.stream, { rejectUnauthorized: rejectUnauthorized, @@ -349,6 +352,9 @@ class Connection extends EventEmitter { secureContext: secureContext, isServer: false }); + if (typeof host === 'string') { + secureSocket.setServername(host); + } // error handler for secure socket secureSocket.on('_tlsError', err => { if (secureEstablished) { @@ -359,7 +365,15 @@ class Connection extends EventEmitter { }); secureSocket.on('secure', () => { secureEstablished = true; - onSecure(rejectUnauthorized ? secureSocket.ssl.verifyError() : null); + let callbackValue = null; + if (rejectUnauthorized) { + callbackValue = secureSocket.ssl.verifyError() + if (!callbackValue && typeof host === 'string' && verifyIdentity) { + const cert = secureSocket.ssl.getPeerCertificate(true); + callbackValue = Tls.checkServerIdentity(host, cert) + } + } + onSecure(callbackValue); }); secureSocket.on('data', data => { this.packetParser.execute(data); diff --git a/typings/mysql/lib/Connection.d.ts b/typings/mysql/lib/Connection.d.ts index dbce3e67a4..4882c113b3 100644 --- a/typings/mysql/lib/Connection.d.ts +++ b/typings/mysql/lib/Connection.d.ts @@ -226,6 +226,12 @@ declare namespace Connection { * Configure the minimum supported version of SSL, the default is TLSv1.2. */ minVersion?: string; + + /** + * You can verify the server name identity presented on the server certificate when connecting to a MySQL server. + * You should enable this but it is disabled by default right now for backwards compatibility. + */ + verifyIdentity?: boolean; } }