MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097
Open
ngodugu-marklogic wants to merge 1 commit into
Open
MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097ngodugu-marklogic wants to merge 1 commit into
ngodugu-marklogic wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s MarkLogic SSL test configurations by removing rejectUnauthorized: false and switching to CA-based certificate verification, addressing CWE-295 and reducing the risk of insecure TLS patterns being copied beyond tests.
Changes:
- Added a committed self-signed CA certificate for test TLS verification.
- Updated test config SSL connections to provide
ca(and removedrejectUnauthorized: falsefrom connection objects). - Added inline warnings intended to prevent reintroducing the insecure TLS setting.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| test-app/src/main/ml-config/self-signed-ca.pem | Adds a committed test CA certificate to enable TLS verification in SSL-based test connections. |
| etc/test-config.js | Uses CA-based TLS verification for SSL connections and removes rejectUnauthorized: false from non-SSL connections. |
| etc/test-config-qa.js | Uses CA-based TLS verification for QA SSL connection config. |
| etc/test-config-qa-ssl.js | Uses CA-based TLS verification for QA SSL connection config. |
bcb8ad4 to
9c7e69a
Compare
9c7e69a to
1ae164b
Compare
jonmille
approved these changes
Jul 16, 2026
RitaChen609
reviewed
Jul 16, 2026
| const { exec } = require('child_process'); | ||
| const testlib = require("../etc/test-lib"); | ||
| // This suite validates TLS protocol min/max behavior, not certificate trust chain handling. | ||
| testconfig.restConnectionForTls.rejectUnauthorized = false; |
There was a problem hiding this comment.
Why here overwrite the default configuration in test-config.js? The test file re-introduces rejectUnauthorized = false
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix CWE-295: Remove rejectUnauthorized:false and Secure SSL Test Connections with Self-Signed CA
Jira: MLE-30259
Severity: Medium | CVSS: 7.4 High | CWE: CWE-295
Problem
All test configuration files (
etc/test-config.js,etc/test-config-qa.js,etc/test-config-qa-ssl.js) usedrejectUnauthorized: falsefor SSL connections. This disables certificate validation entirely, enabling man-in-the-middle (MITM) attacks where an attacker can intercept credentials and traffic by presenting any certificate. It also normalizes insecure practices — developers copy test configs to production.Solution
Replaced all instances of
rejectUnauthorized: falsewith CA-based certificate verification:test-app/src/main/ml-config/self-signed-ca.pem) used as the trusted CA for all SSL test connections.ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem')).rejectUnauthorized: falsefrom non-SSL connections (testConnection,tdeConnection) where it had no effect.// Do NOT use rejectUnauthorized: false in production.Changes
etc/test-config.jsfs/pathimports; secured 2 SSL connections; removed 2 false-secure propertiesetc/test-config-qa.jsfs/pathimports; secured 1 SSL connectionetc/test-config-qa-ssl.jsfs/pathimports; secured 1 SSL connectiontest-app/src/main/ml-config/self-signed-ca.pemAcceptance Criteria
rejectUnauthorized: falseproperties remain in any test config filerestSslConnection,restConnectionForTls) usecaoptionRun Cloud Authentication Tests
Tests MLE-30263 (token error handling) and verifies SSL connections work:
Expected Results:
Run Full Test Suite (If MarkLogic instance available)