fix(NODE-5985): throw Nodejs' certificate expired error when TLS fails to connect instead of CERT_HAS_EXPIRED
#4014
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
What is changing?
When enabled,
rejectUnauthorized
configures Node's TLS API to reject / error when its unable to verify the certificates of the server. This is enabled by default. When the option is enabled and Node is unabled to verify the certificates of the server, an error event is emitted. In our connect logic, this means theconnect
promise rejects.Prior to #3973, the code removed in this PR was in the connect handler (called on successful TLS connection). This was dead code because we will never receive an error that is triggered by
rejectUnauthorized
and successfully connect. When #3973 refactoredconnect()
to be async, we moved this logic into thecatch
block instead of thetry
block, so that it did run when an error occurred during TLS connection.The code throws
socket.authorizationError
instead of the caught error, which is a string value (https://nodejs.org/api/tls.html#tlssocketauthorizationerror). As a result, instead of throwing the error Nodejs gave us, we throw the authorization error property from the socket.Is there new documentation needed for these changes?
No.
What is the motivation for this change?
Release Highlight
Driver
6.3.0
included an internal refactor to the driver's TLS connection logic that introduced logic that intercepted TLS connection errors. In certain situations, the driver would erroneously throw the TLS socket'sauthorizationError
property instead of the error thrown from Nodejs' TLS API.This was observable in two ways:
certificate has expired
, the driver threw an error with the messageCERT_HAS_EXPIRED
cause
property set to a string instead of an error.The driver now correctly propagates TLS errors.
Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript