Connecting with TLS when NATS is insecure

[GRRedWings]

In using this library compared to others like a Java client, it seems that clients sometimes act slightly different. One specific thing I have noticed is that if create a connection expecting it to use tls by setting the connection URL with tls:\ and setting proper tls parameters, it will connect fine even if NATs is configured to not require TLS.

Is there a definitive answer that this is the expected behavior? From what I see this type of handling is up to the client to implement safeguards, as NATS inherently allows it.

Thanks for any input on this scenario.

[artooro]

If you want to require each client to have a certificate, you need to set verify to true.
See https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/tls_mutual_auth

[GRRedWings]

I think what you are describing with each client needing a certificate and the verify flag is more a mTLS connection.

What I'm saying is that I configure this client to expect that it is making a TLS connection, but the NATS server is insecure it will still connect. Meaning the tls://ip:port will connect even though the server is insecure.

For example though, the java client I am using will throw an exception saying that it was unable to connect in a secure manner.

[artooro]

OK I see, maybe that is a function of the python library then. I've only used Go so far.
But if your server is running with TLS, then it's not a problem right? As the client will not connect if it tries to use non-TLS.

[GRRedWings]

The library connects fine either way. If the client is properly configured for TLS it will connect via tls:\ to both a secure and non-secure NATS without error.

If the server is setup for TLS, I can not connect with a client that is non-TLS.