MCPcopy
hub / github.com/nats-io/nats.go / TestTLSHandshakeFirstMTLSReject

Function TestTLSHandshakeFirstMTLSReject

test/conn_test.go:3526–3570  ·  test/conn_test.go::TestTLSHandshakeFirstMTLSReject
(t *testing.T)

Source from the content-addressed store, hash-verified

3524}
3525
3526func TestTLSHandshakeFirstMTLSReject(t *testing.T) {
3527 // Test that when the NATS server itself does mTLS verification
3528 // and rejects the client cert, the error is a clear TLS alert
3529 // (not a wrapped EOF).
3530
3531 sopts := test.DefaultTestOptions
3532 sopts.Port = -1
3533
3534 tc := &server.TLSConfigOpts{
3535 CertFile: "./configs/certs/server.pem",
3536 KeyFile: "./configs/certs/key.pem",
3537 CaFile: "./configs/certs/ca.pem",
3538 Verify: true,
3539 }
3540 var err error
3541 sopts.TLSConfig, err = server.GenTLSConfig(tc)
3542 if err != nil {
3543 t.Fatalf("Can't build TLSConfig: %v", err)
3544 }
3545 sopts.TLSTimeout = 2.0
3546 sopts.TLSHandshakeFirst = true
3547
3548 s := RunServerWithOptions(&sopts)
3549 defer s.Shutdown()
3550
3551 // Connect with a client cert signed by a different CA.
3552 _, err = nats.Connect(
3553 fmt.Sprintf("tls://127.0.0.1:%d", sopts.Port),
3554 nats.RootCAs("./configs/certs/ca.pem"),
3555 nats.ClientCert("./configs/certs/client-cert-invalid.pem", "./configs/certs/client-key-invalid.pem"),
3556 nats.TLSHandshakeFirst(),
3557 )
3558 if err == nil {
3559 t.Fatal("Expected error, got nil")
3560 }
3561 // NATS server sends a proper TLS alert, so we should NOT get EOF.
3562 if errors.Is(err, io.EOF) {
3563 t.Fatalf("Expected TLS alert error, not EOF: %v", err)
3564 }
3565 // Should contain a TLS-related error message.
3566 errStr := err.Error()
3567 if !strings.Contains(errStr, "tls:") {
3568 t.Fatalf("Expected TLS certificate error, got: %v", err)
3569 }
3570}
3571
3572func TestTLSEOFAfterHandshakeNonTLSFirst(t *testing.T) {
3573 // When the server requires TLS (but not handshake-first), completes

Callers

nothing calls this directly

Calls 5

FatalfMethod · 0.80
ConnectMethod · 0.80
RunServerWithOptionsFunction · 0.70
ErrorMethod · 0.65
IsMethod · 0.45

Tested by

no test coverage detected