(t *testing.T)
| 3524 | } |
| 3525 | |
| 3526 | func TestTLSHandshakeFirstMTLSReject(t *testing.T) { |
| 3527 | // Test that when the NATS server itself does mTLS verification |
| 3528 | // and rejects the client cert, the error is a clear TLS alert |
| 3529 | // (not a wrapped EOF). |
| 3530 | |
| 3531 | sopts := test.DefaultTestOptions |
| 3532 | sopts.Port = -1 |
| 3533 | |
| 3534 | tc := &server.TLSConfigOpts{ |
| 3535 | CertFile: "./configs/certs/server.pem", |
| 3536 | KeyFile: "./configs/certs/key.pem", |
| 3537 | CaFile: "./configs/certs/ca.pem", |
| 3538 | Verify: true, |
| 3539 | } |
| 3540 | var err error |
| 3541 | sopts.TLSConfig, err = server.GenTLSConfig(tc) |
| 3542 | if err != nil { |
| 3543 | t.Fatalf("Can't build TLSConfig: %v", err) |
| 3544 | } |
| 3545 | sopts.TLSTimeout = 2.0 |
| 3546 | sopts.TLSHandshakeFirst = true |
| 3547 | |
| 3548 | s := RunServerWithOptions(&sopts) |
| 3549 | defer s.Shutdown() |
| 3550 | |
| 3551 | // Connect with a client cert signed by a different CA. |
| 3552 | _, err = nats.Connect( |
| 3553 | fmt.Sprintf("tls://127.0.0.1:%d", sopts.Port), |
| 3554 | nats.RootCAs("./configs/certs/ca.pem"), |
| 3555 | nats.ClientCert("./configs/certs/client-cert-invalid.pem", "./configs/certs/client-key-invalid.pem"), |
| 3556 | nats.TLSHandshakeFirst(), |
| 3557 | ) |
| 3558 | if err == nil { |
| 3559 | t.Fatal("Expected error, got nil") |
| 3560 | } |
| 3561 | // NATS server sends a proper TLS alert, so we should NOT get EOF. |
| 3562 | if errors.Is(err, io.EOF) { |
| 3563 | t.Fatalf("Expected TLS alert error, not EOF: %v", err) |
| 3564 | } |
| 3565 | // Should contain a TLS-related error message. |
| 3566 | errStr := err.Error() |
| 3567 | if !strings.Contains(errStr, "tls:") { |
| 3568 | t.Fatalf("Expected TLS certificate error, got: %v", err) |
| 3569 | } |
| 3570 | } |
| 3571 | |
| 3572 | func TestTLSEOFAfterHandshakeNonTLSFirst(t *testing.T) { |
| 3573 | // When the server requires TLS (but not handshake-first), completes |
nothing calls this directly
no test coverage detected