Make TRUST_SYSTEM_CA_SIGNED_CERTIFICATES the default when encrypted

Author: ali-ince

gulpfile.babel.js

@@ -168,15 +168,13 @@ gulp.task('set', function () {
     .pipe(gulp.dest('./'))
 })
 
-const neo4jHome = path.resolve('./build/neo4j')
-
 gulp.task('start-neo4j', function (done) {
-  sharedNeo4j.start(neo4jHome, process.env.NEOCTRL_ARGS)
+  sharedNeo4j.start()
   done()
 })
 
 gulp.task('stop-neo4j', function (done) {
-  sharedNeo4j.stop(neo4jHome)
+  sharedNeo4j.stop()
   done()
 })
 

src/internal/browser/browser-channel.js

@@ -264,16 +264,16 @@ function determineWebSocketScheme (config, protocolSupplier) {
 
   if (encryptionOn) {
     // encryption explicitly requested in the config
-    if (!trust || trust === 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES') {
+    if (!trust || trust === 'TRUST_SYSTEM_CA_SIGNED_CERTIFICATES') {
       // trust strategy not specified or the only supported strategy is specified
       return { scheme: 'wss', error: null }
     } else {
       const error = newError(
         'The browser version of this driver only supports one trust ' +
-          "strategy, 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES'. " +
+          "strategy, 'TRUST_SYSTEM_CA_SIGNED_CERTIFICATES'. " +
           trust +
           ' is not supported. Please ' +
-          'either use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES or disable encryption by setting ' +
+          'either use TRUST_SYSTEM_CA_SIGNED_CERTIFICATES or disable encryption by setting ' +
           '`encrypted:"' +
           ENCRYPTION_OFF +
           '"` in the driver configuration.'

src/internal/node/node-channel.js

@@ -190,7 +190,7 @@ function trustStrategyName (config) {
   if (config.trust) {
     return config.trust
   }
-  return 'TRUST_ALL_CERTIFICATES'
+  return 'TRUST_SYSTEM_CA_SIGNED_CERTIFICATES'
 }
 
 /**

test/examples.test.js

@@ -144,10 +144,6 @@ describe('#integration examples', () => {
   })
 
   it('config trust example', async () => {
-    if (version.compareTo(VERSION_4_0_0) >= 0) {
-      pending('address within security work')
-    }
-
     // tag::config-trust[]
     const driver = neo4j.driver(uri, neo4j.auth.basic(user, password), {
       encrypted: 'ENCRYPTION_ON',

test/internal/node/tls.test.js

@@ -37,12 +37,6 @@ describe('#integration trust', () => {
     }
   })
 
-  beforeEach(() => {
-    if (serverVersion.compareTo(VERSION_4_0_0) >= 0) {
-      pending('address within security work')
-    }
-  })
-
   describe('trust-all-certificates', () => {
     let driver
 
@@ -102,7 +96,7 @@ describe('#integration trust', () => {
       driver = neo4j.driver('bolt://localhost', sharedNeo4j.authToken, {
         encrypted: true,
         trust: 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES',
-        trustedCertificates: [neo4jCertPath()]
+        trustedCertificates: [sharedNeo4j.neo4jCertPath()]
       })
 
       // When
@@ -138,9 +132,21 @@ describe('#integration trust', () => {
           done()
         })
     })
-  })
 
-  function neo4jCertPath () {
-    return sharedNeo4j.neo4jCertPath(path.join('build', 'neo4j'))
-  }
+    it('should reject unknown certificates if trust not specified', done => {
+      // Given
+      driver = neo4j.driver('bolt://localhost', sharedNeo4j.authToken, {
+        encrypted: true
+      })
+
+      // When
+      driver
+        .session()
+        .run('RETURN 1')
+        .catch(err => {
+          expect(err.message).toContain('Server certificate is not trusted')
+          done()
+        })
+    })
+  })
 })