Cert Store (aka wincert) feature wasn't properly handling TLS 1.2
handshake with TLS 1.2 clients that do not support RSA signature with
PSS padding.
With this update, Cert Store will perform either PKCS#1 v1.5 or PSS
padding for RSA signature depending on what type is negotiated by the
TLS 1.2 client.
Issue surfaces with the NATS .NET v1 client which supports TLS 1.2 only
(.NET 4.6.2 dependency) only when the client application was hosted on
Windows 10 Enterprise LTSC 2019 (equivalent also to Windows 10 1809 and
Windows Server 2019). If the same client was executed on a more modern
Windows 10 release, RSA signature with PSS padding was negotiated and
succeeded normally.
The Go NATS client as well as any client operating at TLS 1.3 level
would not exhibit the issue as TLS 1.3 requires PSS.
Fix tested good on Windows 10 Enterprise LTSC 2019 host and in confirmed
fixed in user's Windows environment where the issue was originally
detected.
The `.` character will be transformed to `//` in NATS subject. For
instance an MQTT message published on `spBv1.0/plant1` would be received
by a NATS subscriber as `spBv1//0.plant1`.
Conversely, a NATS message published on `spBv1//0.plant1` would be
received by an MQTT subscriber as `spBv1.0/plant1`.
Resolves#1879Resolves#3482
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
The `.` character will be transformed to `//` in NATS subject. For
instance an MQTT message published on `spBv1.0/plant1` would
be received by a NATS subscriber as `spBv1//0.plant1`.
Conversely, a NATS message published on `spBv1//0.plant1` would
be received by an MQTT subscriber as `spBv1.0/plant1`.
Resolves#1879Resolves#3482
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
This PR separates out the small amount of necessary metadata for
retained messages (stream sequence, floor) from the message itself,
instead accessing the messages themselves with KV-like access patterns.
This should save quite a bit of memory where there are lots of retained
messages since we only now need to hold a small amount of metadata
instead of the entire messages.
Signed-off-by: Neil Twigg <neil@nats.io>
If we know we are in stand alone mode only send out statsz updates if we
know we have external interest.
Signed-off-by: Derek Collison <derek@nats.io>
Resolves: #4234
If we know we are in stand alone mode we do not need to run the updates
for JetStream account resources updates.
Signed-off-by: Derek Collison <derek@nats.io>
Resolves#4227 (Partial)
When messages were very small and the key space was very large the
performance of last message gets in the store layer (both file and
memory) would degrade.
If the subject is literal we can optimize and avoid sequence scans that
are needed when multiple subject states need to be considered.
Signed-off-by: Derek Collison <derek@nats.io>
Resolves#4221
- [ ] Link to issue, e.g. `Resolves #NNN`
- [ ] Documentation added (if applicable)
- [ ] Tests added
- [x] Branch rebased on top of current main (`git pull --rebase origin
main`)
- [x] Changes squashed to a single commit (described
[here](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html))
- [x] Build is green in Travis CI
- [x] You have certified that the contribution is your original work and
that you license the work to the project under the [Apache 2
license](https://github.com/nats-io/nats-server/blob/main/LICENSE)
### Changes proposed in this pull request:
- Refactors BenchmarkJetStream(Consume|Publish) and BenchmarkJetStreamKV
benchmarks to connect to stream leader for benchmark cases where cluster
size is greater than 1.
- BenchmarkJetStreamKV now only targets a single bucket (B=1).
CC: @mprimi
When a server would send an asynchronous INFO to a remote server it
would incorrectly contain compression information that could cause
issues with one side thinking that the connection should be compressed
while the other side was not.
It also caused the authentication timer to be incorrectly set which
would cause a disconnect.
Signed-off-by: Ivan Kozlovic <ijkozlovic@gmail.com>
Fix for properly distributed queue requests over multiple leafnode
connections.
When a leafnode server joins two accounts in a supercluster, we want to
make sure that each connection properly takes into account the weighted
number of subscribers in each account.
Signed-off-by: Derek Collison <derek@nats.io>
When a leafnode server joins two accounts in a supercluster, we want to make sure that each connection properly takes into account the weighted number of subscribers in each account.
Signed-off-by: Derek Collison <derek@nats.io>
It doesn't really appear as though, for what these tests are trying to
prove, that an excessively large number of messages is required. Instead
let's drop the count a little in the hope that they run a bit faster.
Signed-off-by: Neil Twigg <neil@nats.io>
When a server would send an asynchronous INFO to a remote server
it would incorrectly contain compression information that could
cause issues with one side thinking that the connection should
be compressed while the other side was not.
It also caused the authentication timer to be incorrectly set
which would cause a disconnect.
Signed-off-by: Ivan Kozlovic <ijkozlovic@gmail.com>
It doesn't really appear as though, for what these tests are trying to
prove, that an excessively large number of messages is required. Instead
let's drop the count a little in the hope that they run a bit faster.
Signed-off-by: Neil Twigg <neil@nats.io>
Bail early if new consumer, meaning stream sequence floor is 0.
Decide which linear space to scan.
Do no work if no pending and we just need to adjust which we do at the
end.
Also realized some tests were named wrong and were not being run, or
were in wrong file.
Signed-off-by: Derek Collison <derek@nats.io>
Bail early if new consumer, meaning stream sequence floor is 0.
Decide which linear space to scan.
Do no work if no pending and we just need to adjust which we do at the end.
Also realized some tests were named wrong and were not being run, or were in wrong file.
Signed-off-by: Derek Collison <derek@nats.io>
- [X] Link to issue, e.g. `Resolves #4141`
- [X] Tests added
- [X] Branch rebased on top of current dev
- [X] Changes squashed to a single commit (described
[here](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html))
- [x] Build is green in Travis CI
- [X] You have certified that the contribution is your original work and
that you license the work to the project under the [Apache 2
license](https://github.com/nats-io/nats-server/blob/main/LICENSE)
Resolves#4141
### Changes proposed in this pull request:
Adds a check that the stream name of a stream source is valid and
associated new error if it isn't.
Currently `UpdateKnownPeers` doesn't send a peer state when a single
peer add operation is taking place, but it seems like this can
potentially race when there are lots of changes to the replica count
happening in rapid succession. Sending the peer state in all cases seems
to fix this issue and, so far in my testing, fixes the failground stream
update replicas test.
Signed-off-by: Neil Twigg <neil@nats.io>
