Allow TLS verification to be skipped #181
Comments
|
Are you signing the certs using a internal CA for test purpose? This is quite easy and then you just tell it the path to the CA? |
|
No, I didn't want to go through the hassle of setting up a CA. |
|
It's the right thing to do though and its really easy. That said, server does support disabling verify so seems reasonable CLI should too, its a easy PR if you want to else it might take some time. |
|
Bumping on a slightly different request - would it be possible to report that the server's certificate is not trusted? Currently the NATS CLI just fails with an "i/o timeout" -- but it would be great to report that the x509 certificate was signed by an unknown authority - or whatever the trust issue is. |
This is already happening |
|
If I don't supply a |
|
Struggling to reproduce that, not giving a CA is same as using system CA - but its possible I fixed this in main already so I am not seeing it. Can you do a build of |
|
@ripienaar sorry for the long delay. I got the same issue here. Could this be an issue with the version of NATS server? We're running 2.9.15. mthornton@mbp:~/github.com/nats-io/natscli (main)
$ git branch
* main
$ go run nats/main.go stream ls --tlsca=./mycrt.crt
main: error: setup failed: dial tcp 192.168.205.130:4222: i/o timeout
exit status 1From an environment perspective - I'm trying to hit a Kubernetes service running as a NodePort. |
|
@thorntonmc weird, this sounds like a bug in nats.go to be honest, or maybe lack of some feedback via callbacks. do you know go? Can you maybe write a small bit of go to try and reproduce using the client? |
Hello,
In production we're using valid TLS certificates only for securing the connection, not validating the client. However in test I'm using self-signed certificates for this. There doesn't appear to be a way to disable the NATS client from attempting to verify the TLS certificate of the server. It would be nice to have this option.
Thanks
The text was updated successfully, but these errors were encountered: