Able to create connection,publish,subscribe without passing ca pem file to a nats core tls enabled server

[vishaltripathi24]

Using nats.py2 able to create connection, publish, subscribe without passing ca pem file to a nats core tls enabled server running behind nats streaming server, whereas other clients in other language required ca.pem, gave error : Can't connect: x509: certificate signed by unknown authority

Nats-streaming server configuration: nats_streaming_config.txt

File : nats_pub_sub.txt

The TLS handshake should fail as the server's certificate is not found in client's truststore?

[vishaltripathi24]

Is client's default TLS context enough for successful TLS handshake given the server configuration above?

//Client Readme says : The client will also automatically create a TLS context with defaults in case it detects that it should connect securely against the server.

How is TLS handshake complete without providing ca.pem file only for nats.py2 client, am I missing something?

@kozlovic , @wallyqs folks any input on this?

[wallyqs]

Seems that if the server is configured with tls it should do the upgrade:

https://github.com/nats-io/nats.py2/blob/7b17b272a642ff59e08e9d81fd733b4d3f58f9c6/nats/io/client.py#L924-L937

it would create a default ssl context in case none provided as a connect like nc.connect("tls://", tls=ssl_ctx). You could try with passing a default context from ssl library and setting with an option too: https://docs.python.org/3/library/ssl.html#ssl.wrap_socket

[vishaltripathi24]

@wallyqs ok but how is the handshake success without the server's authentication given the default context(without certificate)?