Specifying rejectUnauthorized=true and verifyIdentity=false, unreachable code

[juanheyns]

When I specify rejectUnauthorized=true and verifyIdentity=false, I still get an error:

Hostname/IP does not match certificate's altnames: ...

So it seems like verifyIdentity does not have any effect. Looking at the code it seems like lib/connection.js line 372 is unreachable:

https://github.com/sidorares/node-mysql2/blob/1d983fa46031a77c689faea5f69e6e0baa1b3de7/lib/connection.js#L372C19-L372C19

      const ca = readFileSync(path.join(__dirname, `/ssl-ca/amazon-root-ca-1.pem`)).toString() // RDS Proxy
      
      pool = await createConnection({
        host,
        user,
        password,
        database,
        port,
        ssl: {
          ca,
          rejectUnauthorized: true,
          verifyIdentity: false
        }
      })

[juanheyns]

Same issue have been reported here:
#2119 (comment)

[Daemos87]

Hi guys,

Did anyone knows any temporary workaround to make this scenario work until the related or get merged and released?

Thanks in advance

[juanheyns]

Hi guys,

Did anyone knows any temporary workaround to make this scenario work until the related or get merged and released?

Thanks in advance

You can set rejectUnauthorized=false ; in most cases this is unacceptable though.

If you are creating a CNAME dns entry to an RDS server / RDS proxy - you could also resolve the CNAME to the original DNS entry:

import { resolveCname } from 'dns/promises'

//...
      const originalHostname = (await resolveCname(alias))[0]
      // create mysql connection

This is also not ideal since it adds unnecessary requests to DNS.