How to test non self-signed certificate on NATs

[danielserrao]

Hi,

I'm using the nats helm-chart at http://github.com/nats-io/k8s and I did setup TLS by enabling it at https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L290. After that the pods were running successfully and the certificates are installed at /etc/nats-certs/clients/default-ssl-cert/, so it seems fine, but when I tested with the command openssl s_client -tls1_2 -showcerts -connect <nats-url>:8222 from another pod in the same cluster I get:

CONNECTED(00000003)
140592798729536:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 188 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1673799711
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

This seems to be because nats send first an answer with the INFO protocol before sending the TLS ack according to #2804 (comment).

So I tried to test it by executing the command curl http://<nats-url>:8222 because apparently we can test it by accessing it via browser with HTTPS (https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls#creating-self-signed-certificates-for-testing) but I get the following error:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

On the nats pods logs I don't get any error.

I also tried to test connectivity with the command nats account info --server nats://<nats-url>:4222 --user=<username> --password="<password>" which returned the connection information without any errors.

I have the following questions:

• Does these tests confirm that TLS is NOT working properly?
• If yes, what kind of troubleshooting can I do to find the root cause and fix it? If no, what kind of test can I make to make sure that TLS is working properly?
• Why did you decide to make nats return an answer with the INFO protocol instead of returning immediately an TLS ack like almost every other app? This is not a standard and is making other developers life harder, I think.

[wallyqs]

Hi @danielserrao, the correct way to test this is using the nats tool as openssl utility won't be able to follow the NATS protocol. There is a new command account tls that may help to confirm more details too: nats-io/natscli#660
About 3), it is mostly due to historical reasons, if using the websocket protocol instead of over nats for example it does start tls right away.

[ahirner]

return an answer with the INFO protocol instead of returning immediately an TLS ack

Besides difficulties with proxying, was this behavior validated wrt security concerns at some point?