Add tlsfirst option to pass through to NATS connections (#208)

nats-io · Jul 2, 2024 · bb66bf1 · bb66bf1
1 parent 8d8f7d0
commit bb66bf1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ Flags:
       --tlscacert string                    Client certificate CA on NATS connections.
       --tlscert string                      Client certificate file for NATS connections.
       --tlskey string                       Client private key for NATS connections.
+      --tlsfirst bool                       Whether to use TLS First connections.
       --user string                         NATS user name or token
   -v, --version                             version for nats-surveyor
 ```

diff --git a/cmd/root.go b/cmd/root.go
@@ -196,6 +196,10 @@ func init() {
 	rootCmd.Flags().String("tlscacert", "", "Client certificate CA on NATS connections.")
 	_ = viper.BindPFlag("tlscacert", rootCmd.Flags().Lookup("tlscacert"))
 
+	// tlsfirst
+	rootCmd.Flags().Bool("tlsfirst", false, "Whether to use TLS First connections.")
+	_ = viper.BindPFlag("tlsfirst", rootCmd.Flags().Lookup("tlsfirst"))
+
 	// http-tlscert
 	rootCmd.Flags().String("http-tlscert", "", "Server certificate file (Enables HTTPS).")
 	_ = viper.BindPFlag("http-tlscert", rootCmd.Flags().Lookup("http-tlscert"))
@@ -255,6 +259,7 @@ func getSurveyorOpts() *surveyor.Options {
 	opts.CertFile = viper.GetString("tlscert")
 	opts.KeyFile = viper.GetString("tlskey")
 	opts.CaFile = viper.GetString("tlscacert")
+	opts.TLSFirst = viper.GetBool("tlsfirst")
 	opts.HTTPCertFile = viper.GetString("http-tlscert")
 	opts.HTTPKeyFile = viper.GetString("http-tlskey")
 	opts.HTTPCaFile = viper.GetString("http-tlscacert")

diff --git a/surveyor/surveyor.go b/surveyor/surveyor.go
@@ -69,6 +69,7 @@ type Options struct {
 	CertFile             string
 	KeyFile              string
 	CaFile               string
+	TLSFirst             bool
 	HTTPCertFile         string
 	HTTPKeyFile          string
 	HTTPCaFile           string
@@ -184,6 +185,9 @@ func newSurveyorConnPool(opts *Options, reconnectCtr *prometheus.CounterVec) *na
 		}),
 		nats.MaxReconnects(10240),
 	)
+	if opts.TLSFirst {
+		natsOpts = append(natsOpts, nats.TLSHandshakeFirst())
+	}
 	return newNatsConnPool(opts.Logger, natsDefaults, natsOpts)
 }