Accept Tls First as an Option (#1015)

scottf · web-flow · commit a75c17ace9ec · 2023-10-19T11:43:06.000-04:00
diff --git a/README.md b/README.md
@@ -13,7 +13,6 @@
 [![Build Main Badge](https://github.com/nats-io/nats.java/actions/workflows/build-main.yml/badge.svg?event=push)](https://github.com/nats-io/nats.java/actions/workflows/build-main.yml)
 [![Release Badge](https://github.com/nats-io/nats.java/actions/workflows/build-release.yml/badge.svg?event=release)](https://github.com/nats-io/nats.java/actions/workflows/build-release.yml)
 
-#
 ### Simplification
 
 There is a new simplified api that makes working with streams and consumers well, simpler! Simplification is released as of 2.16.14.
@@ -51,6 +50,26 @@ Version 2.5.0 adds some back pressure to publish calls to alleviate issues when
 
 Previous versions are still available in the repo.
 
+#### Version 2.17.1 Support for TLS First
+
+There is a new connection Option, `tlsFirst` for "TLSHandshakeFirst"
+
+In Server 2.10.3 and later, there is the ability to have TLS Handshake First. 
+The server config will add this:
+
+```text
+tls {
+  ...
+  handshake_first: 300ms
+}
+```
+
+TLS Handshake First is used to instruct the library perform
+the TLS handshake right after the connect and before receiving
+the INFO protocol from the server. If this option is enabled
+but the server is not configured to perform the TLS handshake
+first, the connection will fail.
+
 #### Version 2.17.0: Server 2.10 support. Subject and Queue Name Validation
 
 With the release of the 2.10 server, the client has been updated to support new features. 
diff --git a/src/main/java/io/nats/client/Options.java b/src/main/java/io/nats/client/Options.java
@@ -432,6 +432,12 @@ public class Options {
      * Property used to set the path to a credentials file to be used in a FileAuthHandler
      */
     public static final String PROP_CREDENTIAL_PATH = PFX + "credential.path";
+    /**
+     * Property used to configure tls first behavior
+     * This property is a boolean flag, telling connections whether
+     * to do TLS upgrade first, before INFO
+     */
+    public static final String PROP_TLS_FIRST = PFX + "tls.first";
     /**
      * This property is used to enable support for UTF8 subjects. See {@link Builder#supportUTF8Subjects() supportUTF8Subjects()}
      * @deprecated only plain ascii subjects are supported
@@ -564,6 +570,7 @@ public class Options {
     private final int maxMessagesInOutgoingQueue;
     private final boolean discardMessagesWhenOutgoingQueueFull;
     private final boolean ignoreDiscoveredServers;
+    private final boolean tlsFirst;
 
     private final AuthHandler authHandler;
     private final ReconnectDelayHandler reconnectDelayHandler;
@@ -671,6 +678,7 @@ public static class Builder {
         private int maxMessagesInOutgoingQueue = DEFAULT_MAX_MESSAGES_IN_OUTGOING_QUEUE;
         private boolean discardMessagesWhenOutgoingQueueFull = DEFAULT_DISCARD_MESSAGES_WHEN_OUTGOING_QUEUE_FULL;
         private boolean ignoreDiscoveredServers = false;
+        private boolean tlsFirst = false;
         private ServerPool serverPool = null;
         private DispatcherFactory dispatcherFactory = null;
 
@@ -795,6 +803,8 @@ public Builder properties(Properties props) {
             booleanProperty(props, PROP_DISCARD_MESSAGES_WHEN_OUTGOING_QUEUE_FULL, b -> this.discardMessagesWhenOutgoingQueueFull = b);
 
             booleanProperty(props, PROP_IGNORE_DISCOVERED_SERVERS, b -> this.ignoreDiscoveredServers = b);
+            booleanProperty(props, PROP_TLS_FIRST, b -> this.tlsFirst = b);
+
             classnameProperty(props, PROP_SERVERS_POOL_IMPLEMENTATION_CLASS, o -> this.serverPool = (ServerPool) o);
             classnameProperty(props, PROP_DISPATCHER_FACTORY_CLASS, o -> this.dispatcherFactory = (DispatcherFactory) o);
 
@@ -1465,6 +1475,20 @@ public Builder ignoreDiscoveredServers() {
             return this;
         }
 
+        /**
+         * Set TLS Handshake First behavior on. Default is off.
+         * TLS Handshake First is used to instruct the library perform
+         * the TLS handshake right after the connect and before receiving
+         * the INFO protocol from the server. If this option is enabled
+         * but the server is not configured to perform the TLS handshake
+         * first, the connection will fail.
+         * @return the Builder for chaining
+         */
+        public Builder tlsFirst() {
+            this.tlsFirst = true;
+            return this;
+        }
+
         /**
          * Set the ServerPool implementation for connections to use instead of the default implementation
          * @param serverPool the implementation
@@ -1642,6 +1666,7 @@ public Builder(Options o) {
             this.proxy = o.proxy;
 
             this.ignoreDiscoveredServers = o.ignoreDiscoveredServers;
+            this.tlsFirst = o.tlsFirst;
 
             this.serverPool = o.serverPool;
             this.dispatcherFactory = o.dispatcherFactory;
@@ -1703,6 +1728,7 @@ private Options(Builder b) {
         this.proxy = b.proxy;
 
         this.ignoreDiscoveredServers = b.ignoreDiscoveredServers;
+        this.tlsFirst = b.tlsFirst;
 
         this.serverPool = b.serverPool;
         this.dispatcherFactory = b.dispatcherFactory;
@@ -1913,7 +1939,7 @@ public int getMaxControlLine() {
      * @return true if there is an sslContext for this Options, otherwise false, see {@link Builder#secure() secure()} in the builder doc
      */
     public boolean isTLSRequired() {
-        return (this.sslContext != null);
+        return tlsFirst || this.sslContext != null;
     }
 
     /**
@@ -2080,6 +2106,14 @@ public boolean isIgnoreDiscoveredServers() {
         return ignoreDiscoveredServers;
     }
 
+    /**
+     * Get whether to do tls first
+     * @return the flag
+     */
+    public boolean isTlsFirst() {
+        return tlsFirst;
+    }
+
     /**
      * Get the ServerPool implementation. If null, a default implementation is used.
      * @return the ServerPool implementation
diff --git a/src/main/java/io/nats/client/impl/NatsConnection.java b/src/main/java/io/nats/client/impl/NatsConnection.java
@@ -431,9 +431,12 @@ void tryToConnect(NatsUri cur, NatsUri resolved, long now) {
 
             // Wait for the INFO message manually
             // all other traffic will use the reader and writer
+            // TLS First, don't read info until after upgrade
             Callable<Object> connectTask = () -> {
-                readInitialInfo();
-                checkVersionRequirements();
+                if (!options.isTlsFirst()) {
+                    readInitialInfo();
+                    checkVersionRequirements();
+                }
                 long start = System.nanoTime();
                 upgradeToSecureIfNeeded(resolved);
                 if (trace && options.isTLSRequired()) {
@@ -442,6 +445,10 @@ void tryToConnect(NatsUri cur, NatsUri resolved, long now) {
                     timeTrace(true, "TLS upgrade took: %.3f (s)",
                             ((double) (System.nanoTime() - start)) / 1_000_000_000.0);
                 }
+                if (options.isTlsFirst()) {
+                    readInitialInfo();
+                    checkVersionRequirements();
+                }
                 return null;
             };
 
@@ -545,28 +552,33 @@ void checkVersionRequirements() throws IOException {
 
     void upgradeToSecureIfNeeded(NatsUri nuri) throws IOException {
         Options clientOptions = getOptions();
-        ServerInfo serverInfo = getInfo();
-        boolean before2_9_19 = serverInfo.isOlderThanVersion("2.9.19");
-
-        boolean isTLSRequired = clientOptions.isTLSRequired();
-        boolean upgradeRequired = isTLSRequired;
-        if (isTLSRequired && nuri.isWebsocket()) {
-            // We are already communicating over "https" websocket, so
-            // do NOT try to upgrade to secure.
-            if (before2_9_19) {
-                isTLSRequired = false;
-            }
-            upgradeRequired = false;
-        }
-        if (isTLSRequired && !serverInfo.isTLSRequired()) {
-            throw new IOException("SSL connection wanted by client.");
-        }
-        else if (!isTLSRequired && serverInfo.isTLSRequired()) {
-            throw new IOException("SSL required by server.");
-        }
-        if (upgradeRequired) {
+        if (clientOptions.isTlsFirst()) {
             this.dataPort.upgradeToSecure();
         }
+        else {
+            ServerInfo serverInfo = getInfo();
+            boolean before2_9_19 = serverInfo.isOlderThanVersion("2.9.19");
+
+            boolean isTLSRequired = clientOptions.isTLSRequired();
+            boolean upgradeRequired = isTLSRequired;
+            if (isTLSRequired && nuri.isWebsocket()) {
+                // We are already communicating over "https" websocket, so
+                // do NOT try to upgrade to secure.
+                if (before2_9_19) {
+                    isTLSRequired = false;
+                }
+                upgradeRequired = false;
+            }
+            if (isTLSRequired && !serverInfo.isTLSRequired()) {
+                throw new IOException("SSL connection wanted by client.");
+            }
+            else if (!isTLSRequired && serverInfo.isTLSRequired()) {
+                throw new IOException("SSL required by server.");
+            }
+            if (upgradeRequired) {
+                this.dataPort.upgradeToSecure();
+            }
+        }
     }
 
     // Called from reader/writer thread
diff --git a/src/test/java/io/nats/client/impl/TLSConnectTests.java b/src/test/java/io/nats/client/impl/TLSConnectTests.java
@@ -69,6 +69,20 @@ public void testSimpleTLSConnection() throws Exception {
         }
     }
 
+    @Test
+    public void testSimpleTlsFirstConnection() throws Exception {
+        try (NatsTestServer ts = new NatsTestServer("src/test/resources/tls_first.conf", false)) {
+            String servers = ts.getURI();
+            Options options = new Options.Builder()
+                .server(servers)
+                .maxReconnects(0)
+                .tlsFirst()
+                .sslContext(TestSSLUtils.createTestSSLContext())
+                .build();
+            assertCanConnectAndPubSub(options);
+        }
+    }
+
     @Test
     public void testSimpleUrlTLSConnection() throws Exception {
         //System.setProperty("javax.net.debug", "all");
diff --git a/src/test/resources/tls_first.conf b/src/test/resources/tls_first.conf
@@ -0,0 +1,15 @@
+
+# Simple TLS config file
+
+port: 4443
+net: localhost
+
+tls {
+  cert_file:  "src/test/resources/certs/server.pem"
+  key_file:   "src/test/resources/certs/key.pem"
+  timeout:    2
+  handshake_first: 300ms
+
+  # Optional certificate authority for clients
+  ca_file:   "src/test/resources/certs/ca.pem"
+}
