func stressConnect(t *testing.T, wg *sync.WaitGroup, errCh chan error, url string, index int) {
defer wg.Done()
subName := fmt.Sprintf("foo.%d", index)
for i := 0; i < 100; i++ {
nc, err := nats.SecureConnect(url)
if err != nil {
errCh <- fmt.Errorf("Unable to create TLS connection: %v\n", err)
return
}
defer nc.Close()
sub, err := nc.SubscribeSync(subName)
if err != nil {
errCh <- fmt.Errorf("Unable to subscribe on '%s': %v\n", subName, err)
return
}
if err := nc.Publish(subName, []byte("secure data")); err != nil {
errCh <- fmt.Errorf("Unable to send on '%s': %v\n", subName, err)
}
if _, err := sub.NextMsg(2 * time.Second); err != nil {
errCh <- fmt.Errorf("Unable to get next message: %v\n", err)
}
nc.Close()
}
errCh <- nil
}
func TestServerSecureConnections(t *testing.T) {
s, opts := RunServerWithConfig("./configs/tls.conf")
defer s.Shutdown()
endpoint := fmt.Sprintf("%s:%d", opts.Host, opts.Port)
secureUrl := fmt.Sprintf("nats://%s:%s@%s/", opts.Username, opts.Password, endpoint)
// Make sure this succeeds
nc, err := nats.SecureConnect(secureUrl)
if err != nil {
t.Fatal("Failed to create secure (TLS) connection", err)
}
defer nc.Close()
omsg := []byte("Hello World")
received := 0
nc.Subscribe("foo", func(m *nats.Msg) {
received += 1
if !bytes.Equal(m.Data, omsg) {
t.Fatal("Message received does not match")
}
})
err = nc.Publish("foo", omsg)
if err != nil {
t.Fatal("Failed to publish on secure (TLS) connection", err)
}
nc.Flush()
nc.Close()
// Server required, but not requested.
nc, err = nats.Connect(secureUrl)
if err == nil || nc != nil || err != nats.ErrSecureConnRequired {
t.Fatal("Should have failed to create secure (TLS) connection")
}
// Test flag mismatch
// Wanted but not available..
ds := RunDefaultServer()
defer ds.Shutdown()
nc, err = nats.SecureConnect(nats.DefaultURL)
if err == nil || nc != nil || err != nats.ErrSecureConnWanted {
t.Fatalf("Should have failed to create connection: %v", err)
}
}
func TestTLSConnection(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tls.conf")
defer srv.Shutdown()
endpoint := fmt.Sprintf("%s:%d", opts.Host, opts.Port)
nurl := fmt.Sprintf("nats://%s:%s@%s/", opts.Username, opts.Password, endpoint)
nc, err := nats.Connect(nurl)
if err == nil {
t.Fatalf("Expected error trying to connect to secure server")
}
// Do simple SecureConnect
nc, err = nats.SecureConnect(fmt.Sprintf("nats://%s/", endpoint))
if err == nil {
t.Fatalf("Expected error trying to connect to secure server with no auth")
}
// Now do more advanced checking, verifying servername and using rootCA.
// Setup our own TLSConfig using RootCA from our self signed cert.
rootPEM, err := ioutil.ReadFile("./configs/certs/ca.pem")
if err != nil || rootPEM == nil {
t.Fatalf("failed to read root certificate")
}
pool := x509.NewCertPool()
ok := pool.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
t.Fatalf("failed to parse root certificate")
}
config := &tls.Config{
ServerName: opts.Host,
RootCAs: pool,
MinVersion: tls.VersionTLS12,
}
copts := nats.DefaultOptions
copts.Url = nurl
copts.Secure = true
copts.TLSConfig = config
nc, err = copts.Connect()
if err != nil {
t.Fatalf("Got an error on Connect with Secure Options: %+v\n", err)
}
defer nc.Close()
subj := "foo-tls"
sub, _ := nc.SubscribeSync(subj)
nc.Publish(subj, []byte("We are Secure!"))
nc.Flush()
nmsgs, _ := sub.QueuedMsgs()
if nmsgs != 1 {
t.Fatalf("Expected to receive a message over the TLS connection")
}
}
func TestServerSecureConnections(t *testing.T) {
t.Skip("Moved to gnatsd, waiting on TLS support")
securePort := uint(2288)
// secureServer := startServer(t, securePort, "--ssl")
// defer secureServer.stopServer()
secureUrl := fmt.Sprintf("nats://localhost:%d/", securePort)
// Make sure this succeeds
nc, err := nats.SecureConnect(secureUrl)
if err != nil {
t.Fatal("Failed to create secure (TLS) connection", err)
}
defer nc.Close()
omsg := []byte("Hello World")
received := 0
nc.Subscribe("foo", func(m *nats.Msg) {
received += 1
if !bytes.Equal(m.Data, omsg) {
t.Fatal("Message received does not match")
}
})
err = nc.Publish("foo", omsg)
if err != nil {
t.Fatal("Failed to publish on secure (TLS) connection", err)
}
nc.Flush()
nc.Close()
// Test flag mismatch
// Wanted but not available..
nc, err = nats.SecureConnect(nats.DefaultURL)
if err == nil || nc != nil || err != nats.ErrSecureConnWanted {
t.Fatalf("Should have failed to create connection: %v", err)
}
// Server required, but not requested.
nc, err = nats.Connect(secureUrl)
if err == nil || nc != nil || err != nats.ErrSecureConnRequired {
t.Fatal("Should have failed to create secure (TLS) connection")
}
}
func TestTLSClientCertificate(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tlsverify.conf")
defer srv.Shutdown()
nurl := fmt.Sprintf("nats://%s:%d", opts.Host, opts.Port)
_, err := nats.Connect(nurl)
if err == nil {
t.Fatalf("Expected error trying to connect to secure server without a certificate")
}
_, err = nats.SecureConnect(nurl)
if err == nil {
t.Fatalf("Expected error trying to secure connect to secure server without a certificate")
}
// Load client certificate to sucessfully connect.
certFile := "./configs/certs/client-cert.pem"
keyFile := "./configs/certs/client-key.pem"
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
t.Fatalf("error parsing X509 certificate/key pair: %v", err)
}
// Load in root CA for server verification
rootPEM, err := ioutil.ReadFile("./configs/certs/ca.pem")
if err != nil || rootPEM == nil {
t.Fatalf("failed to read root certificate")
}
pool := x509.NewCertPool()
ok := pool.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
t.Fatalf("failed to parse root certificate")
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
ServerName: opts.Host,
RootCAs: pool,
MinVersion: tls.VersionTLS12,
}
copts := nats.DefaultOptions
copts.Url = nurl
copts.Secure = true
copts.TLSConfig = config
nc, err := copts.Connect()
if err != nil {
t.Fatalf("Got an error on Connect with Secure Options: %+v\n", err)
}
nc.Flush()
defer nc.Close()
}