From 9c6e160d1b21f72b25d68cb71afd9b12e3e4f0ab Mon Sep 17 00:00:00 2001
From: Matthias Schneider <ms@wck.biz>
Date: Thu, 25 Jul 2024 09:20:13 +0200
Subject: [PATCH 1/3] support TLS Insecure connection - added flag
 --tlsinsecure

---
 cli/cli.go         | 2 +-
 cli/util.go        | 5 +++++
 nats/main.go       | 1 +
 options/options.go | 2 ++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/cli/cli.go b/cli/cli.go
index 12d420d4..a1ec95de 100644
--- a/cli/cli.go
+++ b/cli/cli.go
@@ -56,7 +56,7 @@ var (
 
 	// These are persisted by contexts, as properties thereof.
 	// So don't include NATS_CONTEXT in this list.
-	overrideEnvVars = []string{"NATS_URL", "NATS_USER", "NATS_PASSWORD", "NATS_CREDS", "NATS_NKEY", "NATS_CERT", "NATS_KEY", "NATS_CA", "NATS_TIMEOUT", "NATS_SOCKS_PROXY", "NATS_COLOR"}
+	overrideEnvVars = []string{"NATS_URL", "NATS_USER", "NATS_PASSWORD", "NATS_CREDS", "NATS_NKEY", "NATS_CERT", "NATS_KEY", "NATS_CA", "NATS_TIMEOUT", "NATS_SOCKS_PROXY", "NATS_COLOR", "NATS_TLSINSECURE"}
 )
 
 func registerCommand(name string, order int, c func(app commandHost)) {
diff --git a/cli/util.go b/cli/util.go
index 9634c4cb..63b0d8c1 100644
--- a/cli/util.go
+++ b/cli/util.go
@@ -17,6 +17,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -307,6 +308,10 @@ func natsOpts() []nats.Option {
 		connectionName = "NATS CLI Version " + Version
 	}
 
+	if opts().TlsInsecure {
+		copts = append(copts, nats.Secure(&tls.Config{InsecureSkipVerify: true}))
+	}
+
 	return append(copts, []nats.Option{
 		nats.Name(connectionName),
 		nats.MaxReconnects(-1),
diff --git a/nats/main.go b/nats/main.go
index f961702f..ebd7b057 100644
--- a/nats/main.go
+++ b/nats/main.go
@@ -57,6 +57,7 @@ See 'nats cheat' for a quick cheatsheet of commands`
 	ncli.Flag("tlskey", "TLS private key").Envar("NATS_KEY").PlaceHolder("FILE").ExistingFileVar(&opts.TlsKey)
 	ncli.Flag("tlsca", "TLS certificate authority chain").Envar("NATS_CA").PlaceHolder("FILE").ExistingFileVar(&opts.TlsCA)
 	ncli.Flag("tlsfirst", "Perform TLS handshake before expecting the server greeting").BoolVar(&opts.TlsFirst)
+	ncli.Flag("tlsinsecure", "Disable TLS Certificate Verification").Envar("NATS_TLSINSECURE").BoolVar(&opts.TlsInsecure)
 	if runtime.GOOS == "windows" {
 		ncli.Flag("certstore", "Uses a Windows Certificate Store for TLS (user, machine)").PlaceHolder("TYPE").EnumVar(&opts.WinCertStoreType, "user", "windowscurrentuser", "machine", "windowslocalmachine")
 		ncli.Flag("certstore-match", "Which certificate to use in the store").PlaceHolder("QUERY").StringVar(&opts.WinCertStoreMatch)
diff --git a/options/options.go b/options/options.go
index 867306c6..6a8b1b9d 100644
--- a/options/options.go
+++ b/options/options.go
@@ -36,6 +36,8 @@ type Options struct {
 	TlsKey string
 	// TlsCA is the certificate authority to verify the connection with
 	TlsCA string
+	// TlsInsecure Disable TLS Certificate Verification
+	TlsInsecure bool
 	// Timeout is how long to wait for operations
 	Timeout time.Duration
 	// ConnectionName is the name to use for the underlying NATS connection

From efb23c42620c3041daf54afcee93d3b6462e5ce6 Mon Sep 17 00:00:00 2001
From: Matthias Schneider <ms@wck.biz>
Date: Thu, 25 Jul 2024 10:48:07 +0200
Subject: [PATCH 2/3] improved tlsinsecure

---
 cli/util.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/cli/util.go b/cli/util.go
index 63b0d8c1..ba7f1601 100644
--- a/cli/util.go
+++ b/cli/util.go
@@ -309,7 +309,15 @@ func natsOpts() []nats.Option {
 	}
 
 	if opts().TlsInsecure {
-		copts = append(copts, nats.Secure(&tls.Config{InsecureSkipVerify: true}))
+		insecureOption := func(o *nats.Options) error {
+			if o.TLSConfig == nil {
+				o.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+			} else {
+				o.TLSConfig.InsecureSkipVerify = true
+			}
+			return nil
+		}
+		copts = append(copts, insecureOption)	
 	}
 
 	return append(copts, []nats.Option{

From e15ea1410bfa5ea88ac31c7223f37643c811e8f4 Mon Sep 17 00:00:00 2001
From: Matthias Schneider <ms@wck.biz>
Date: Thu, 25 Jul 2024 11:23:43 +0200
Subject: [PATCH 3/3] also set secure true

---
 cli/util.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cli/util.go b/cli/util.go
index ba7f1601..6302b418 100644
--- a/cli/util.go
+++ b/cli/util.go
@@ -310,6 +310,7 @@ func natsOpts() []nats.Option {
 
 	if opts().TlsInsecure {
 		insecureOption := func(o *nats.Options) error {
+			o.Secure = true
 			if o.TLSConfig == nil {
 				o.TLSConfig = &tls.Config{InsecureSkipVerify: true}
 			} else {