[FIXED] Monitoring: verify_and_map in tls{} config would break monitoring

This was introduced in v2.6.6. In order to solve a config reload issue, we used tls.Config.GetConfigForClient which allowed the TLS configuration to be "refreshed" with the latest. However, in this case, the tls.Config.ClientAuth was not reset to tls.NoClientCert which we need for monitoring port. Resolves #2980 Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
2026-04-02 03:38:42 -07:00 · 2022-03-30 18:50:52 -06:00
parent 520aa322e4
commit 7bb7309f4c
2 changed files with 17 additions and 3 deletions
--- a/server/monitor_test.go
+++ b/server/monitor_test.go
@@ -4267,6 +4267,10 @@ func TestMonitorReloadTLSConfig(t *testing.T) {
 			cert_file: '%s'
 			key_file: '%s'
 			ca_file: '../test/configs/certs/ca.pem'
+
+			# Set this to make sure that it does not impact secure monitoring
+			# (which it did, see issue: https://github.com/nats-io/nats-server/issues/2980)
+			verify_and_map: true
 		}
 	`
 	conf := createConfFile(t, []byte(fmt.Sprintf(template,
@@ -4312,4 +4316,12 @@ func TestMonitorReloadTLSConfig(t *testing.T) {
 	if err := c.(*tls.Conn).Handshake(); err != nil {
 		t.Fatalf("Error on TLS handshake: %v", err)
 	}
+
+	// Need to read something to see if there is a problem with the certificate or not.
+	var buf [64]byte
+	c.SetReadDeadline(time.Now().Add(250 * time.Millisecond))
+	_, err = c.Read(buf[:])
+	if ne, ok := err.(net.Error); !ok || !ne.Timeout() {
+		t.Fatalf("Error: %v", err)
+	}
 }
--- a/server/server.go
+++ b/server/server.go
@@ -2254,9 +2254,11 @@ func (cl *captureHTTPServerLog) Write(p []byte) (int, error) {
 // we instruct the TLS handshake to ask for the tls configuration to be
 // used for a specific client. We don't care which client, we always use
 // the same TLS configuration.
-func (s *Server) getTLSConfig(_ *tls.ClientHelloInfo) (*tls.Config, error) {
+func (s *Server) getMonitoringTLSConfig(_ *tls.ClientHelloInfo) (*tls.Config, error) {
 	opts := s.getOpts()
-	return opts.TLSConfig, nil
+	tc := opts.TLSConfig.Clone()
+	tc.ClientAuth = tls.NoClientCert
+	return tc, nil
 }

 // Start the monitoring server
@@ -2281,7 +2283,7 @@ func (s *Server) startMonitoring(secure bool) error {
 		}
 		hp = net.JoinHostPort(opts.HTTPHost, strconv.Itoa(port))
 		config := opts.TLSConfig.Clone()
-		config.GetConfigForClient = s.getTLSConfig
+		config.GetConfigForClient = s.getMonitoringTLSConfig
 		config.ClientAuth = tls.NoClientCert
 		httpListener, err = tls.Listen("tcp", hp, config)