const tlsConfig = caTLSCACerts ? { trustedRoots: [caTLSCACerts], verify: false } : undefined;
In buildCAClient() FabricCAServices is created with tlsConfig with verify = false.
According to documentation the argument "Determines whether or not to verify the server certificate when using TLS".
So trustedRoots becomes irrelevant because the TLS client will not perform server certificate verification during the TLS handshake process. This means that the client will accept any certificate presented by the server, regardless of whether it is signed by a trusted Certificate Authority (CA) or not. This approach can introduce security risks, as it opens the possibility of Man-in-the-Middle (MITM) attacks, where an attacker could intercept and tamper with the communication between the client and server.
Recommendation
We recommend using verify: true or utilizing caInfo?.httpOptions?.verify config parameter as mentioned in chain-client/src/gcclient.spec.ts:122.
const tlsConfig = caTLSCACerts ? { trustedRoots: [caTLSCACerts], verify: false } : undefined; In buildCAClient() FabricCAServices is created with tlsConfig with verify = false.
According to documentation the argument "Determines whether or not to verify the server certificate when using TLS".
So trustedRoots becomes irrelevant because the TLS client will not perform server certificate verification during the TLS handshake process. This means that the client will accept any certificate presented by the server, regardless of whether it is signed by a trusted Certificate Authority (CA) or not. This approach can introduce security risks, as it opens the possibility of Man-in-the-Middle (MITM) attacks, where an attacker could intercept and tamper with the communication between the client and server.
Recommendation We recommend using verify: true or utilizing caInfo?.httpOptions?.verify config parameter as mentioned in chain-client/src/gcclient.spec.ts:122.
Certik finding: CAC-01