diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
index 25e8f26..e9269a7 100644
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -9,7 +9,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go: [ '1.19' ]
+        go: [ '1.20' ]
         os: [ ubuntu-latest, macOS-latest ]
     runs-on: ${{matrix.os}}
     steps:
@@ -23,7 +23,6 @@ jobs:
         shell: bash --noprofile --norc -x -eo pipefail {0}
         run: |
           cd /tmp
-          go install -v github.com/wadey/gocovmerge@latest
           go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@latest
       - name: Lint
         shell: bash --noprofile --norc -x -eo pipefail {0}
@@ -33,6 +32,7 @@ jobs:
           golangci-lint run \
              --no-config --exclude-use-default=false --max-same-issues=0 \
                --disable errcheck \
+               --disable gocritic \
                --enable stylecheck \
                --enable unconvert \
                --enable gocyclo \
@@ -41,7 +41,6 @@ jobs:
                --enable unparam \
                --enable nakedret \
                --enable prealloc \
-               --enable gocritic \
                --enable misspell \
                ./...
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 85651d5..8be1cda 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,7 +13,7 @@ jobs:
     - name: Setup Go
       uses: actions/setup-go@v3
       with:
-        go-version: '1.19'
+        go-version: '1.20'
 
     - name: Setup QEMU
       uses: docker/setup-qemu-action@v2
diff --git a/surveyor/conn_pool.go b/surveyor/conn_pool.go
index d71f486..c3b47b2 100644
--- a/surveyor/conn_pool.go
+++ b/surveyor/conn_pool.go
@@ -1,7 +1,6 @@
 package surveyor
 
 import (
-	"bytes"
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/json"
@@ -15,19 +14,18 @@ import (
 )
 
 type natsContext struct {
-	Name        string      `json:"name"`
-	URL         string      `json:"url"`
-	JWT         string      `json:"jwt"`
-	Seed        string      `json:"seed"`
-	Credentials string      `json:"credential"`
-	Nkey        string      `json:"nkey"`
-	Token       string      `json:"token"`
-	Username    string      `json:"username"`
-	Password    string      `json:"password"`
-	TLSCA       string      `json:"tls_ca"`
-	TLSCert     string      `json:"tls_cert"`
-	TLSKey      string      `json:"tls_key"`
-	TLSConfig   *tls.Config `json:"-"`
+	Name        string `json:"name"`
+	URL         string `json:"url"`
+	JWT         string `json:"jwt"`
+	Seed        string `json:"seed"`
+	Credentials string `json:"credential"`
+	Nkey        string `json:"nkey"`
+	Token       string `json:"token"`
+	Username    string `json:"username"`
+	Password    string `json:"password"`
+	TLSCA       string `json:"tls_ca"`
+	TLSCert     string `json:"tls_cert"`
+	TLSKey      string `json:"tls_key"`
 }
 
 func (c *natsContext) copy() *natsContext {
@@ -35,7 +33,6 @@ func (c *natsContext) copy() *natsContext {
 		return nil
 	}
 	cp := *c
-	cp.TLSConfig = c.TLSConfig.Clone()
 	return &cp
 }
 
@@ -79,11 +76,6 @@ func (c *natsContext) hash() (string, error) {
 		}
 		b = append(b, fb...)
 	}
-	if c.TLSConfig != nil {
-		for _, cert := range c.TLSConfig.Certificates {
-			b = append(b, bytes.Join(cert.Certificate, []byte(","))...)
-		}
-	}
 	hash := sha256.New()
 	hash.Write(b)
 	return fmt.Sprintf("%x", hash.Sum(nil)), nil
@@ -167,9 +159,6 @@ func (cp *natsConnPool) Get(cfg *natsContext) (*pooledNatsConn, error) {
 	if cfg.TLSKey == "" {
 		cfg.TLSKey = cp.natsDefaults.TLSKey
 	}
-	if cfg.TLSConfig == nil {
-		cfg.TLSConfig = cp.natsDefaults.TLSConfig
-	}
 
 	// get hash
 	key, err := cfg.hash()
@@ -247,13 +236,6 @@ func (cp *natsConnPool) getPooledConn(key string, cfg *natsContext) (*pooledNats
 			opts = append(opts, nats.RootCAs(cfg.TLSCA))
 		}
 
-		if cfg.TLSConfig != nil {
-			if cfg.TLSCert != "" || cfg.TLSKey != "" || cfg.TLSCA != "" {
-				return nil, fmt.Errorf("both TLS certificate file and tls.Config cannot be provided")
-			}
-			opts = append(opts, nats.Secure(cfg.TLSConfig))
-		}
-
 		if cfg.TLSCert != "" && cfg.TLSKey != "" {
 			opts = append(opts, nats.ClientCert(cfg.TLSCert, cfg.TLSKey))
 		}
diff --git a/surveyor/jetstream_advisories.go b/surveyor/jetstream_advisories.go
index cebd76a..689a747 100644
--- a/surveyor/jetstream_advisories.go
+++ b/surveyor/jetstream_advisories.go
@@ -14,7 +14,6 @@
 package surveyor
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/fs"
@@ -250,10 +249,6 @@ type JSAdvisoryConfig struct {
 	TLSCA       string `json:"tls_ca"`
 	TLSCert     string `json:"tls_cert"`
 	TLSKey      string `json:"tls_key"`
-
-	// tls.Config cannot be provided in observation config file,
-	// only programmatically
-	TLSConfig *tls.Config `json:"-"`
 }
 
 // JSAdvisoriesExternalAccountConfig is used to configure external accounts from which
@@ -328,7 +323,6 @@ func (o *JSAdvisoryConfig) copy() *JSAdvisoryConfig {
 		return nil
 	}
 	cp := *o
-	cp.TLSConfig = o.TLSConfig.Clone()
 	return &cp
 }
 
@@ -392,7 +386,6 @@ func (o *jsAdvisoryListener) natsContext() *natsContext {
 		TLSCA:       o.config.TLSCA,
 		TLSCert:     o.config.TLSCert,
 		TLSKey:      o.config.TLSKey,
-		TLSConfig:   o.config.TLSConfig,
 	}
 
 	return natsCtx
diff --git a/surveyor/observation.go b/surveyor/observation.go
index 513fce4..4444e72 100644
--- a/surveyor/observation.go
+++ b/surveyor/observation.go
@@ -14,7 +14,6 @@
 package surveyor
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -140,10 +139,6 @@ type ServiceObsConfig struct {
 	TLSCA       string `json:"tls_ca"`
 	TLSCert     string `json:"tls_cert"`
 	TLSKey      string `json:"tls_key"`
-
-	// tls.Config cannot be provided in observation config file,
-	// only programmatically
-	TLSConfig *tls.Config `json:"-"`
 }
 
 type ServiceObservationExternalAccountConfig struct {
@@ -204,7 +199,6 @@ func (o *ServiceObsConfig) copy() *ServiceObsConfig {
 		return nil
 	}
 	cp := *o
-	cp.TLSConfig = o.TLSConfig.Clone()
 	return &cp
 }
 
@@ -267,7 +261,6 @@ func (o *serviceObsListener) natsContext() *natsContext {
 		TLSCA:       o.config.TLSCA,
 		TLSCert:     o.config.TLSCert,
 		TLSKey:      o.config.TLSKey,
-		TLSConfig:   o.config.TLSConfig,
 	}
 
 	// legacy Credentials field
diff --git a/surveyor/surveyor.go b/surveyor/surveyor.go
index aa07015..0bd1537 100644
--- a/surveyor/surveyor.go
+++ b/surveyor/surveyor.go
@@ -69,7 +69,6 @@ type Options struct {
 	CertFile             string
 	KeyFile              string
 	CaFile               string
-	TLSConfig            *tls.Config
 	HTTPCertFile         string
 	HTTPKeyFile          string
 	HTTPCaFile           string
@@ -79,7 +78,8 @@ type Options struct {
 	ObservationConfigDir string
 	JetStreamConfigDir   string
 	Accounts             bool
-	Logger               *logrus.Logger
+	Logger               *logrus.Logger    // not exposed by CLI
+	NATSOpts             []nats.Option     // not exposed by CLI
 	ConstLabels          prometheus.Labels // not exposed by CLI
 	DisableHTTPServer    bool              // not exposed by CLI
 }
@@ -156,14 +156,13 @@ func NewSurveyor(opts *Options) (*Surveyor, error) {
 
 func newSurveyorConnPool(opts *Options, reconnectCtr *prometheus.CounterVec) *natsConnPool {
 	natsDefaults := &natsContextDefaults{
-		Name:      opts.Name,
-		URL:       opts.URLs,
-		TLSCert:   opts.CertFile,
-		TLSKey:    opts.KeyFile,
-		TLSCA:     opts.CaFile,
-		TLSConfig: opts.TLSConfig,
-	}
-	natsOpts := []nats.Option{
+		Name:    opts.Name,
+		URL:     opts.URLs,
+		TLSCert: opts.CertFile,
+		TLSKey:  opts.KeyFile,
+		TLSCA:   opts.CaFile,
+	}
+	natsOpts := append(opts.NATSOpts,
 		nats.DisconnectErrHandler(func(c *nats.Conn, err error) {
 			if err != nil {
 				opts.Logger.Warnf("%q disconnected, will possibly miss replies: %v", c.Opts.Name, err)
@@ -184,7 +183,7 @@ func newSurveyorConnPool(opts *Options, reconnectCtr *prometheus.CounterVec) *na
 			}
 		}),
 		nats.MaxReconnects(10240),
-	}
+	)
 	return newNatsConnPool(opts.Logger, natsDefaults, natsOpts)
 }
 
diff --git a/surveyor/surveyor_test.go b/surveyor/surveyor_test.go
index 476c179..43defa2 100644
--- a/surveyor/surveyor_test.go
+++ b/surveyor/surveyor_test.go
@@ -435,7 +435,7 @@ func TestSurveyor_ClientTLS(t *testing.T) {
 
 		opts := getTestOptions()
 		opts.URLs = "127.0.0.1:4223"
-		opts.TLSConfig = tlsConfig
+		opts.NATSOpts = []nats.Option{nats.Secure(tlsConfig)}
 
 		s, err := NewSurveyor(opts)
 		if err != nil {
@@ -448,27 +448,6 @@ func TestSurveyor_ClientTLS(t *testing.T) {
 
 		pollAndCheckDefault(t, "nats_core_mem_bytes")
 	})
-	t.Run("error passing both tls config and files", func(t *testing.T) {
-		tlsConfig, err := parseTLSConfig(clientCert, clientKey, caCertFile)
-		if err != nil {
-			t.Fatalf("Error parsing TLS config: %s", err)
-		}
-
-		opts := getTestOptions()
-		opts.URLs = "127.0.0.1:4223"
-		opts.CaFile = caCertFile
-		opts.CertFile = clientCert
-		opts.KeyFile = clientKey
-		opts.TLSConfig = tlsConfig
-
-		s, err := NewSurveyor(opts)
-		if err != nil {
-			t.Fatalf("couldn't create surveyor: %v", err)
-		}
-		if err = s.Start(); err == nil || !strings.Contains(err.Error(), "both TLS certificate file and tls.Config cannot be provided") {
-			t.Fatalf("start error: %v", err)
-		}
-	})
 }
 
 func TestSurveyor_HTTPS(t *testing.T) {