fs2-io skips mTLS client verification
Impact When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: fs2-io running on Node.js. The JVM TLS implementation is completely independent. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets. …