| 3570 | } |
| 3571 | |
| 3572 | func TestTLSEOFAfterHandshakeNonTLSFirst(t *testing.T) { |
| 3573 | // When the server requires TLS (but not handshake-first), completes |
| 3574 | // the TLS handshake via the INFO-driven upgrade, then immediately |
| 3575 | // closes, the error should also be wrapped. |
| 3576 | |
| 3577 | tc := &server.TLSConfigOpts{ |
| 3578 | CertFile: "./configs/certs/server.pem", |
| 3579 | KeyFile: "./configs/certs/key.pem", |
| 3580 | } |
| 3581 | tlsConf, err := server.GenTLSConfig(tc) |
| 3582 | if err != nil { |
| 3583 | t.Fatalf("Can't build TLSConfig: %v", err) |
| 3584 | } |
| 3585 | tlsConf.ServerName = "localhost" |
| 3586 | |
| 3587 | l, err := net.Listen("tcp", "127.0.0.1:0") |
| 3588 | if err != nil { |
| 3589 | t.Fatalf("Could not listen: %v", err) |
| 3590 | } |
| 3591 | defer l.Close() |
| 3592 | |
| 3593 | addr := l.Addr().(*net.TCPAddr) |
| 3594 | |
| 3595 | // Mock server: send INFO requiring TLS, do TLS upgrade, then close. |
| 3596 | go func() { |
| 3597 | conn, err := l.Accept() |
| 3598 | if err != nil { |
| 3599 | return |
| 3600 | } |
| 3601 | defer conn.Close() |
| 3602 | |
| 3603 | // Send INFO with tls_required before TLS handshake. |
| 3604 | info := fmt.Sprintf("INFO {\"server_id\":\"test\",\"host\":\"localhost\",\"port\":%d,\"tls_required\":true,\"tls_available\":true,\"max_payload\":1048576}\r\n", addr.Port) |
| 3605 | conn.Write([]byte(info)) |
| 3606 | |
| 3607 | // Upgrade to TLS. |
| 3608 | tlsConn := tls.Server(conn, tlsConf) |
| 3609 | if err := tlsConn.Handshake(); err != nil { |
| 3610 | return |
| 3611 | } |
| 3612 | // Wait a bit so the client starts writing CONNECT+PING, |
| 3613 | // then close — this makes "broken pipe" more likely. |
| 3614 | time.Sleep(50 * time.Millisecond) |
| 3615 | tlsConn.Close() |
| 3616 | }() |
| 3617 | |
| 3618 | _, err = nats.Connect( |
| 3619 | fmt.Sprintf("nats://localhost:%d", addr.Port), |
| 3620 | nats.RootCAs("./configs/certs/ca.pem"), |
| 3621 | ) |
| 3622 | if err == nil { |
| 3623 | t.Fatal("Expected error, got nil") |
| 3624 | } |
| 3625 | if !errors.Is(err, nats.ErrTLS) { |
| 3626 | t.Fatalf("Expected error to wrap nats.ErrTLS, got: %v", err) |
| 3627 | } |
| 3628 | } |
| 3629 | |