From 3a4e835311ed9e5a2ea0c41b48ea836f5d556f65 Mon Sep 17 00:00:00 2001
From: Derek Collison <derek@nats.io>
Date: Sat, 6 Jun 2020 13:41:34 -0700
Subject: [PATCH] Key off TLS first byte

Signed-off-by: Derek Collison <derek@nats.io>
---
 server/server.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/server/server.go b/server/server.go
index 1eb7a85a..bd5a796f 100644
--- a/server/server.go
+++ b/server/server.go
@@ -1960,14 +1960,13 @@ func (s *Server) createClient(conn net.Conn, ws *websocket) *client {
 	if opts.TLSConfig != nil && opts.AllowNonTLS {
 		pre = make([]byte, 4)
 		c.nc.SetReadDeadline(time.Now().Add(secondsToDuration(opts.TLSTimeout)))
-		n, err := io.ReadFull(c.nc, pre[:])
+		n, _ := io.ReadFull(c.nc, pre[:])
 		c.nc.SetReadDeadline(time.Time{})
 		pre = pre[:n]
-		// Assume TLS unless we see nothing or start of CONNECT.
-		if err != nil || bytes.Contains(pre, []byte("CO")) {
-			tlsRequired = false
-		} else {
+		if n > 0 && pre[0] == 0x16 {
 			tlsRequired = true
+		} else {
+			tlsRequired = false
 		}
 	}