[FIXED] Client certificate verification when verify is true.

Server was incorrectly requiring a client certificate, but not
verifying it.

Resolves #336

server/opts.go

@@ -309,7 +309,7 @@ func parseCluster(cm map[string]interface{}, opts *Options) error {
 			// as both client and server, so will mirror the rootCA to the
 			// clientCA pool.
 			opts.ClusterTLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
-			opts.ClusterTLSConfig.ClientCAs = opts.ClusterTLSConfig.RootCAs
+			opts.ClusterTLSConfig.RootCAs = opts.ClusterTLSConfig.ClientCAs
 			opts.ClusterTLSTimeout = tc.Timeout
 		case "no_advertise":
 			opts.ClusterNoAdvertise = mv.(bool)
@@ -573,7 +573,7 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) {
 
 	// Require client certificates as needed
 	if tc.Verify {
-		config.ClientAuth = tls.RequireAnyClientCert
+		config.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 	// Add in CAs if applicable.
 	if tc.CaFile != "" {
@@ -586,7 +586,7 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) {
 		if !ok {
 			return nil, fmt.Errorf("failed to parse root ca certificate")
 		}
-		config.RootCAs = pool
+		config.ClientCAs = pool
 	}
 
 	return &config, nil

server/server.go

@@ -91,7 +91,7 @@ func New(opts *Options) *Server {
 
 	// Process TLS options, including whether we require client certificates.
 	tlsReq := opts.TLSConfig != nil
-	verify := (tlsReq && opts.TLSConfig.ClientAuth == tls.RequireAnyClientCert)
+	verify := (tlsReq && opts.TLSConfig.ClientAuth == tls.RequireAndVerifyClientCert)
 
 	info := Info{
 		ID:                genID(),

test/configs/tlsverify_noca.conf

@@ -0,0 +1,18 @@
+
+# Simple TLS config file
+
+listen: localhost:4443
+
+tls {
+  # Server cert
+  cert_file: "./configs/certs/server-cert.pem"
+  # Server private key
+  key_file:  "./configs/certs/server-key.pem"
+  # Specified time for handshake to complete
+  timeout: 2
+  # Require a client certificate
+  verify:    true
+  # Omit the client CA, this is to verify that
+  # the server is really trying to verify the 
+  # client certificate.
+}

test/tls_test.go

@@ -65,11 +65,6 @@ func TestTLSClientCertificate(t *testing.T) {
 		t.Fatalf("Expected error trying to connect to secure server without a certificate")
 	}
 
-	_, err = nats.Connect(nurl)
-	if err == nil {
-		t.Fatalf("Expected error trying to secure connect to secure server without a certificate")
-	}
-
 	// Load client certificate to successfully connect.
 	certFile := "./configs/certs/client-cert.pem"
 	keyFile := "./configs/certs/client-key.pem"
@@ -109,6 +104,23 @@ func TestTLSClientCertificate(t *testing.T) {
 	defer nc.Close()
 }
 
+func TestTLSVerifyClientCertificate(t *testing.T) {
+	srv, opts := RunServerWithConfig("./configs/tlsverify_noca.conf")
+	defer srv.Shutdown()
+
+	nurl := fmt.Sprintf("tls://%s:%d", opts.Host, opts.Port)
+
+	// The client is configured properly, but the server has no CA
+	// to verify the client certificate. Connection should fail.
+	nc, err := nats.Connect(nurl,
+		nats.ClientCert("./configs/certs/client-cert.pem", "./configs/certs/client-key.pem"),
+		nats.RootCAs("./configs/certs/ca.pem"))
+	if err == nil {
+		nc.Close()
+		t.Fatal("Expected failure to connect, did not")
+	}
+}
+
 func TestTLSConnectionTimeout(t *testing.T) {
 	opts := LoadConfig("./configs/tls.conf")
 	opts.TLSTimeout = 0.25