Add TLS handshake_first support for Cluster

[dmgolovin]

Proposed change

Allow enabling "handshake_first" flag tls {} settings under cluster {} block.

Use case

We have a cluster that comprises two remote sites. There is a traffic inspection agent on one site and it requires TLS to be active from the very beginning.

Contribution

No response

[kozlovic]

@dmgolovin There is no need for that since routes have always done the TLS handshake first without sending any plain text prior to that happening. If you have observed a different behavior, please let me know the server versions and what the configuration looks like.

[kozlovic]

@dmgolovin Any update on this? Should I close the issue?

[Kazmirchuk]

while we are here, I don't see handshake_first documented here or in nats-server --help

[kozlovic]

@Kazmirchuk It seems that there is no documentation for the "client" tls{} block, however, there is one for LeafNodes: https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf#tls-block. I will create an issue for our docs so that this gets updated (unless I find the documentation by then ;-)).

As for nats-server --help, this is expected since only things that can be configured from the command line are documented there, and handshake_first is not one of the parameters that can be configured from the command line.

[kozlovic]

@Kazmirchuk The documentation PR was merged: nats-io/nats.docs#779

@dmgolovin Did you have a chance to look at my earlier comments? To summarize, the cluster does not need "TLS-first handshake" because it is already doing that. If your experience is different, please let me know, otherwise I will close this issue. Thanks!