Allow TLS verification to be skipped

[Xiol]

Hello,

In production we're using valid TLS certificates only for securing the connection, not validating the client. However in test I'm using self-signed certificates for this. There doesn't appear to be a way to disable the NATS client from attempting to verify the TLS certificate of the server. It would be nice to have this option.

Thanks

[ripienaar]

Are you signing the certs using a internal CA for test purpose? This is quite easy and then you just tell it the path to the CA?

[Xiol]

No, I didn't want to go through the hassle of setting up a CA.

[ripienaar]

It's the right thing to do though and its really easy.

That said, server does support disabling verify so seems reasonable CLI should too, its a easy PR if you want to else it might take some time.

[thorntonmc]

Bumping on a slightly different request - would it be possible to report that the server's certificate is not trusted? Currently the NATS CLI just fails with an "i/o timeout" -- but it would be great to report that the x509 certificate was signed by an unknown authority - or whatever the trust issue is.

[ripienaar]

$ nats --tlsca wrong.pem rtt
nats: error: tls: failed to verify certificate: x509: certificate signed by unknown authority

This is already happening

[thorntonmc]

If I don't supply a --tlsca, then the operation times out. This happens if you're connecting to a context prefixed with tls://, not supplying a CA, and the certificate returned is not trusted.

[ripienaar]

Struggling to reproduce that, not giving a CA is same as using system CA - but its possible I fixed this in main already so I am not seeing it.

Can you do a build of main branch and compare @thorntonmc, if you don't know Go I can give you some other options to try it