taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity
nats.docs/developer/security/tls.md
Stephen Asbury 9618415569 Moved tools to _tools 
Broke up develoepr doc into tree
Small CSS tweak to give diagrams more room
2019-05-15 12:22:57 -07:00

24 lines
1.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Encrypting Connections with TLS
While authentication limits which clients can connect, TLS can be used to check the servers identity and the clients identity and will encrypt the traffic between the two. The most secure version of TLS with NATS is to use verified client certificates. In this mode, the client can check that it trusts the certificate sent by `gnatsd` but the server will also check that it trusts the certificate sent by the client. From an applications perspective connecting to a server that does not verify client certificates may appear identical. Under the covers, disabling TLS verification removes the server side check on the clients certificate. When started in TLS mode, `gnatsd` will require all clients to connect with TLS. Moreover, if configured to connect with TLS, client libraries will fail to connect to a server without TLS.
The [Java examples repository](https://github.com/nats-io/java-nats-examples/tree/master/src/main/resources) contains certificates for starting the server in TLS mode.
```sh
> gnatsd -c /src/main/resources/tls.conf
or
> gnatsd -c /src/main/resources/tls_verify.conf
```
## Connecting with TLS
Connecting to a server with TLS is primarily an exercise in setting up the certificate and trust managers. For example:
!INCLUDE "../../_examples/connect_tls.html"
## Connecting with the TLS Protocol
Some clients may support the `tls` protocol as well as a manual setting to turn on TLS. However, in that case there is likely some form of default or environmental settings to allow the TLS libraries to find certificate and trust stores.
!INCLUDE "../../_examples/connect_tls_url.html"
Reference in New Issue View Git Blame Copy Permalink