Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require TLS for in-process connection #4323

Merged
merged 3 commits into from Jul 20, 2023
Merged

Don't require TLS for in-process connection #4323

merged 3 commits into from Jul 20, 2023

Conversation

neilalexander
Copy link
Member

This should fix a bug where in-process connections expect TLS over the net.Pipe if TLS is configured.

Signed-off-by: Neil Twigg neil@nats.io

@neilalexander neilalexander requested a review from a team as a code owner July 19, 2023 16:12
@neilalexander
Copy link
Member Author

@caleblloyd Please test against this commit, should fix your issue.

derekcollison
derekcollison reviewed Jul 19, 2023
View reviewed changes
server/server.go Outdated Show resolved Hide resolved
@derekcollison derekcollison self-requested a review July 19, 2023 17:40
derekcollison
derekcollison reviewed Jul 19, 2023
View reviewed changes
server/server.go Outdated Show resolved Hide resolved
@derekcollison derekcollison self-requested a review July 19, 2023 17:45
derekcollison
derekcollison approved these changes Jul 19, 2023
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@caleblloyd
Copy link
Contributor

caleblloyd commented Jul 19, 2023
edited

@sethjback can you test the latest commit to make sure TLS is not required on in-process connections now, even if it is required on the NATS port?

@caleblloyd
Copy link
Contributor

Getting a new error. Before this change, was seeing:

Error: tls: failed to verify certificate: x509: certificate signed by unknown authority

After this change, am seeing:

Error: tls: first record does not look like a TLS handshake

@derekcollison
Copy link
Member

I will wait to merge until I hear from @neilalexander on the issue above.

@neilalexander
Copy link
Member Author

Have pushed another commit that should resolve this without having to set AllowNonTLS in the config file, which would apply to all connections. Please give it a try.

@caleblloyd
Copy link
Contributor

tls_required: true is still being sent in Server Info to the client, so the Client is attempting to upgrade to TLS... Think we need to detect/change that for the in-process client to send to tls_required: false, tls_available: true

@caleblloyd
Copy link
Contributor

I think 4b064ff works, feel free to cherry-pick that as it is based on this branch already

neilalexander and others added 3 commits July 20, 2023 10:43
@neilalexander
Don't require TLS for in-process connection
ed9fafc 
Signed-off-by: Neil Twigg <neil@nats.io>
@caleblloyd @neilalexander
Adjust in-process server info tls_required to tls_available
7993547 
Signed-off-by: Caleb Lloyd <caleb@synadia.com>
@neilalexander
Add unit test to prove connection works
b7d6b7e 
Signed-off-by: Neil Twigg <neil@nats.io>
@neilalexander
Copy link
Member Author

OK, have added a unit test this time.

caleblloyd
caleblloyd approved these changes Jul 20, 2023
View reviewed changes
Copy link
Contributor

@caleblloyd caleblloyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@derekcollison derekcollison self-requested a review July 20, 2023 17:21
derekcollison
derekcollison approved these changes Jul 20, 2023
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

test/tls_test.go Show resolved Hide resolved
@derekcollison derekcollison merged commit 0347f27 into main Jul 20, 2023
1 check passed
@derekcollison derekcollison deleted the neil/inprocess branch July 20, 2023 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekcollison derekcollison derekcollison approved these changes

@caleblloyd caleblloyd caleblloyd approved these changes

@sethjback sethjback Awaiting requested review from sethjback

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@neilalexander @caleblloyd @derekcollison