MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097
MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097ngodugu-marklogic wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s MarkLogic SSL test configurations by removing rejectUnauthorized: false and switching to CA-based certificate verification, addressing CWE-295 and reducing the risk of insecure TLS patterns being copied beyond tests.
Changes:
- Added a committed self-signed CA certificate for test TLS verification.
- Updated test config SSL connections to provide
ca(and removedrejectUnauthorized: falsefrom connection objects). - Added inline warnings intended to prevent reintroducing the insecure TLS setting.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| test-app/src/main/ml-config/self-signed-ca.pem | Adds a committed test CA certificate to enable TLS verification in SSL-based test connections. |
| etc/test-config.js | Uses CA-based TLS verification for SSL connections and removes rejectUnauthorized: false from non-SSL connections. |
| etc/test-config-qa.js | Uses CA-based TLS verification for QA SSL connection config. |
| etc/test-config-qa-ssl.js | Uses CA-based TLS verification for QA SSL connection config. |
bcb8ad4 to
9c7e69a
Compare
9c7e69a to
1ae164b
Compare
| const { exec } = require('child_process'); | ||
| const testlib = require("../etc/test-lib"); | ||
| // This suite validates TLS protocol min/max behavior, not certificate trust chain handling. | ||
| testconfig.restConnectionForTls.rejectUnauthorized = false; |
There was a problem hiding this comment.
Why here overwrite the default configuration in test-config.js? The test file re-introduces rejectUnauthorized = false
| */ | ||
| const fs = require('fs'); | ||
| const path = require('path'); | ||
| const strictTlsVerification = process.env.ML_TEST_SSL_STRICT === 'true'; |
There was a problem hiding this comment.
Would ML_TEST_SSL_STRICT be set anywhere? If ML_TEST_SSL_STRICT is not set, strictTlsVerification would be false. Have you tested ML_TEST_SSL_STRICT=true?
| ssl: true | ||
| ssl: true, | ||
| rejectUnauthorized: strictTlsVerification, | ||
| ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem')) |
There was a problem hiding this comment.
I could not see self-signed-ca.pem is actually validated in the tests anywhere.
It seems the certificate for SSL port (8017) is generated by MarkLogic's GenerateTemporaryCertificateCommand (in test-app\build.gradle). So I guess self-signed-ca.pem can't validate anything and may not be needed or replace by a correct certificate.
|
Changed the logic according to our discussion in scrum call and created another PR #1100 |
Fix CWE-295: Remove rejectUnauthorized:false and Secure SSL Test Connections with Self-Signed CA
Jira: MLE-30259
Severity: Medium | CVSS: 7.4 High | CWE: CWE-295
Problem
All test configuration files (
etc/test-config.js,etc/test-config-qa.js,etc/test-config-qa-ssl.js) usedrejectUnauthorized: falsefor SSL connections. This disables certificate validation entirely, enabling man-in-the-middle (MITM) attacks where an attacker can intercept credentials and traffic by presenting any certificate. It also normalizes insecure practices — developers copy test configs to production.Solution
Replaced all instances of
rejectUnauthorized: falsewith CA-based certificate verification:test-app/src/main/ml-config/self-signed-ca.pem) used as the trusted CA for all SSL test connections.ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem')).rejectUnauthorized: falsefrom non-SSL connections (testConnection,tdeConnection) where it had no effect.// Do NOT use rejectUnauthorized: false in production.Changes
etc/test-config.jsfs/pathimports; secured 2 SSL connections; removed 2 false-secure propertiesetc/test-config-qa.jsfs/pathimports; secured 1 SSL connectionetc/test-config-qa-ssl.jsfs/pathimports; secured 1 SSL connectiontest-app/src/main/ml-config/self-signed-ca.pemAcceptance Criteria
rejectUnauthorized: falseproperties remain in any test config filerestSslConnection,restConnectionForTls) usecaoptionRun Cloud Authentication Tests
Tests MLE-30263 (token error handling) and verifies SSL connections work:
Expected Results:
Run Full Test Suite (If MarkLogic instance available)