You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using a WesSocket URI to connect to the NATS server and the server is configured to verify client TLS connections via the NATS protocol the server sends the tls_required=true flag as part of the initial INFO message.
That results in the WebSocketTransport's connect_tls(...) method getting called with the hostname instead of the full URL. That gets passed to the to the aiohttp library and eventually results in a exception like:
aiohttp.client_exceptions.InvalidURL: localhost
This can be reproduced with the following patch:
diff --git a/tests/utils.py b/tests/utils.py
index 711e6f5..cd00a65 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -477,7 +477,7 @@ class SingleWebSocketTLSServerTestCase(unittest.TestCase):
)
server = NATSD(
- port=4222, config_file=get_config_file("conf/ws_tls.conf")
+ port=4222, tls=True, config_file=get_config_file("conf/ws_tls.conf")
)
self.server_pool.append(server)
for natsd in self.server_pool:
The fundamental issue is that for the WebSocket connections the TLS upgrade is not supported and should not be attempted.
Update the WebSocketTransport to detect the second connect[_tls]() call and ignore it if already connected via TLS or throw an exception if not connected via TLS.
I am partial to the second option and will work on a pull request to implement that but I am happy to be pointed in a different direction.
The text was updated successfully, but these errors were encountered:
allanbank
added a commit
to allanbank/nats.py
that referenced
this issue
Apr 6, 2023
When using a WesSocket URI to connect to the NATS server and the server is configured to verify client TLS connections via the NATS protocol the server sends the tls_required=true flag as part of the initial INFO message.
That results in the WebSocketTransport's connect_tls(...) method getting called with the hostname instead of the full URL. That gets passed to the to the aiohttp library and eventually results in a exception like:
This can be reproduced with the following patch:
The fundamental issue is that for the WebSocket connections the TLS upgrade is not supported and should not be attempted.
I think there are two potential solutions:
I am partial to the second option and will work on a pull request to implement that but I am happy to be pointed in a different direction.
The text was updated successfully, but these errors were encountered: