dohertj2/natsdotnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: populate TLS certificate expiry and OCSP peer verify in /varz

Browse Source 
Load the server TLS certificate from disk during each /varz request to
read its NotAfter date and expose it as tls_cert_not_after. Also wire
OcspPeerVerify from NatsOptions into the tls_ocsp_peer_verify field.
Both fields were already declared in the Varz model but left unpopulated.
This commit is contained in:
Joseph Doherty
2026-02-23 04:26:45 -05:00
parent 7c324843ff
commit 67a3881c7c
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/NATS.Server/Monitoring/VarzHandler.cs
View File

@@ -1,5 +1,6 @@
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using NATS.Server.Protocol;
namespace NATS.Server.Monitoring;
@@ -47,6 +48,22 @@ public sealed class VarzHandler : IDisposable
_lastCpuUsage = currentCpu;
}
// Load the TLS certificate to report its expiry date in /varz.
// Corresponds to Go server/monitor.go handleVarz populating TLSCertExpiry.
DateTime? tlsCertExpiry = null;
if (_options.HasTls && !string.IsNullOrEmpty(_options.TlsCert))
{
try
{
using var cert = X509CertificateLoader.LoadCertificateFromFile(_options.TlsCert);
tlsCertExpiry = cert.NotAfter;
}
catch
{
// cert load failure — leave field as default
}
}
return new Varz
{
Id = _server.ServerId,
@@ -63,6 +80,8 @@ public sealed class VarzHandler : IDisposable
TlsRequired = _options.HasTls && !_options.AllowNonTls,
TlsVerify = _options.HasTls && _options.TlsVerify,
TlsTimeout = _options.HasTls ? _options.TlsTimeout.TotalSeconds : 0,
TlsCertNotAfter = tlsCertExpiry ?? default,
TlsOcspPeerVerify = _options.OcspPeerVerify,
MaxConnections = _options.MaxConnections,
MaxPayload = _options.MaxPayload,
MaxControlLine = _options.MaxControlLine,