Description

The @peculiar/x509 library used by the Reclaim TLS library can parse some invalid certificate files as valid. This includes certificates with invalid hostnames and expired certificates.

Impact

The Reclaim client can be communicating with a site that has an invalid certificate. Attackers could attempt an MITM attack and compromise the integrity or confidentiality of the TLS connection.

Recommendations

Additional certificate validation is required, including validation of the hostname and expired date.

Remediation