Skip to content

NATS Sink doesn't support configuring "handshake_first" TLS option #24297

New issue
New issue
Open
Bug
Open
NATS Sink doesn't support configuring "handshake_first" TLS option#24297
Bug
Labels
type: bugA code related bug.
@rdwr-tomers

Description

@rdwr-tomers
rdwr-tomers
opened on Nov 25, 2025

A note for the community

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

NATS TLS has a non-standard feature where it will negotiate enabling TLS with the server upon initial connection.
This defaults to Auto.

When a proxy handles connections from NATS client to NATS server, enabling this feature doesn't work.

In Vector, this setting isn't exposed to the user, defaulting to 'auto', causing Vector NATS sink failure to connect to NATS server.

See NATS docs

Configuration

Version

vector 0.51.0 (x86_64-unknown-linux-gnu f8d6250 2025-11-04 15:55:23.355652151)

Debug Output

Example Data

No response

Additional Context

This can be reproduced in any environment, and doesn't matter if vector is running locally, in docker, or in kubernetes.
The Proxy receives the connection from vector but doesn't open a connection to the NATS server, as the connection from vector (via the NATS rust lib) is non standard

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugA code related bug.

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions