Inadequate Encryption Strength

Summary

The NATS server by default uses a restricted set of modern "ciphersuites" for TLS. This selection can be overridden through configuration. The defaults include just "RSA" and "ECDSA" with either "AES/GCM" with a "SHA2" digest or "ChaCha20/Poly1305". The configuration system allows for extensive use of CLI options to override configuration settings. When using these to set a key/cert for TLS, the restricted "ciphersuite" settings were lost, enabling all "ciphersuites" supported by Go by default. This issue affects github.com/nats-io/nats-server versions prior to 2.2.3.