You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When OCSP is enabled, if leaf TLS configured, leaf silently set/overridden to mTLS
In server up to 2.9.15, where OCSP is enabled, operator is unable to configure a Leaf listener with TLS enablement (server-only validation) by setting verify option to false or not specifying a value for verify and taking documented default (false).
The server silently sets client auth TLS policy to true on the Leaf listener.
Steps or code to reproduce the issue:
Configure a NATS server with the OCSP staple feature enabled.
Add a leaf configuration with a TLS block with verify: false
Attempt NATS leaf remote connection to the NATS Server with 1-way TLS (server only)
Expected result:
Client INFO reflects tls_verify as false and 1-way TLS handshake succeeds.
Actual result:
Client INFO on connect reflects tls_verify as true and 1-way TLS (server only) does not succeed
The text was updated successfully, but these errors were encountered:
Override happening here in ocsp.go. Root issue is Leaf kind of connection is being treated as an in-cluster server-to-server connection like a Route kind or Gateway kind, but should be treated as a variation of an external NATS client instead.
When OCSP is enabled, if leaf TLS configured, leaf silently set/overridden to mTLS
In server up to 2.9.15, where OCSP is enabled, operator is unable to configure a Leaf listener with TLS enablement (server-only validation) by setting
verify
option tofalse
or not specifying a value forverify
and taking documented default (false).The server silently sets client auth TLS policy to true on the Leaf listener.
Steps or code to reproduce the issue:
verify: false
Expected result:
Client
INFO
reflectstls_verify
asfalse
and 1-way TLS handshake succeeds.Actual result:
Client
INFO
on connect reflectstls_verify
astrue
and 1-way TLS (server only) does not succeedThe text was updated successfully, but these errors were encountered: