Merge pull request #143 from nats-io/tls_strict_route

TLS strict route verifications
2026-04-17 03:24:40 -07:00 · 2015-11-23 12:18:41 -08:00
parent a691aaf278 fe6402a948
commit 9d0695ec47
2 changed files with 12 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -31,6 +31,13 @@ Authorization Options:
        --user user                  User required for connections
        --pass password              Password required for connections

+TLS Options:
+        --tls                        Enable TLS, do not verify clients (default: false)
+        --tlscert FILE               Server certificate file
+        --tlskey FILE                Private key for server certificate
+        --tlsverify                  Enable TLS, very client certificates
+        --tlscacert client           Client certificate CA for verification
+
 Cluster Options:
        --routes [rurl-1, rurl-2]    Routes to solicit and connect

--- a/server/opts.go
+++ b/server/opts.go
@@ -189,6 +189,11 @@ func parseCluster(cm map[string]interface{}, opts *Options) error {
 			if opts.ClusterTLSConfig, err = GenTLSConfig(tc); err != nil {
 				return err
 			}
+			// For clusters, we will force strict verification. We also act
+			// as both client and server, so will mirror the rootCA to the
+			// clientCA pool.
+			opts.ClusterTLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			opts.ClusterTLSConfig.ClientCAs = opts.ClusterTLSConfig.RootCAs
 			opts.ClusterTLSTimeout = tc.Timeout
 		}
 	}