Added TLS mismatch information to readme. (#1187)

scottf · web-flow · commit d4849d80474a · 2024-08-16T13:08:32.000-04:00
diff --git a/README.md b/README.md
@@ -1047,6 +1047,26 @@ The raw TLS test certs are in [src/test/resources/certs](src/test/resources/cert
 > rm cert.p12 combined.pem
 ```
 
+### TLS client versus server checks
+
+When creating a connection, client TLS behavior is set while creating options.
+The client assumes TLS is requested if there is an SSLContext instance in the options. 
+There are two ways one exists:
+1. The user directly supplied one 
+2. A default one was created since one was not supplied, but a supplied server url has a secure protocol such as `tls`, `wss` or `opentls`
+
+If there is a mismatch, an IOException will be thrown during connect.
+
+| server config | client options    | result                                       |
+|---------------|-------------------|----------------------------------------------|
+| required      | tls not requested | mismatch, "SSL required by server."          | 
+| available     | tls not requested | ok                                           |    
+| neither       | tls not requested | ok                                           |   
+| required      | tls requested     | ok                                           |
+| available     | tls requested     | ok                                           |
+| neither       | tls requested     | mismatch, "SSL connection wanted by client." |     
+
+
 ### TLS Handshake First
 In Server 2.10.3 and later, there is the ability to have TLS Handshake First.
 
diff --git a/src/main/java/io/nats/client/impl/NatsConnection.java b/src/main/java/io/nats/client/impl/NatsConnection.java
@@ -681,6 +681,14 @@ void upgradeToSecureIfNeeded(NatsUri nuri) throws IOException {
                 dataPort.upgradeToSecure();
             }
             else {
+                // server    | client options      | result
+                // --------- | ------------------- | --------
+                // required  | not isTLSRequired() | mismatch
+                // available | not isTLSRequired() | ok
+                // neither   | not isTLSRequired() | ok
+                // required  | isTLSRequired()     | ok
+                // available | isTLSRequired()     | ok
+                // neither   | isTLSRequired()     | mismatch
                 ServerInfo serverInfo = getInfo();
                 if (options.isTLSRequired()) {
                     if (!serverInfo.isTLSRequired() && !serverInfo.isTLSAvailable()) {
