Skip to content

Support Lettuce SSL/TLS Verification Modes #2899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philsttr opened this issue Apr 21, 2024 · 5 comments
Closed

Support Lettuce SSL/TLS Verification Modes #2899

philsttr opened this issue Apr 21, 2024 · 5 comments
Labels
type: enhancement A general enhancement
Milestone
3.4 M1 (2024.1.0)

Comments

@philsttr
Copy link

Lettuce 6.1.0.RELEASE added support for three SSL/TLS verification modes (SslVerifyMode):

  • NONE (corresponds with setVerifyPeer(false))
  • CA (only verifies the CA and cert, without verifying the hostname matches)
  • FULL (corresponds with setVerifyPeer(true))

The new CA mode is most helpful for cluster mode, where the seed connection is made via hostname (and thus matches hostnames in the certificate), but then cluster node connections are made by IP address (which typically do not appear in SubjectAltNames of the certificate, particularly for redis instances from cloud providers).

Currently, Spring Data Redis only supports setVerifyPeer(boolean). I would like Spring Data Redis to support the three verification modes that Lettuce >= 6.1 now supports.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 21, 2024
@mp911de mp911de added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 22, 2024
@philsttr
Copy link
Author

Also somewhat related, I filed redis/lettuce#2837 to request an enhancement to verification modes to better secure connecting to redis in cluster mode from cloud providers.

@AnneMayor
Copy link
Contributor

I think this is a good issue to approach for me. I am going to open PR within this weekend :)

@AnneMayor
Copy link
Contributor

AnneMayor commented Jun 2, 2024
edited
Loading

Since I have to do my work as soon as quickly I am going to open this PR until the end of June. Thanks.

@baojian123 baojian123 mentioned this issue Jun 30, 2024
Closed
4 tasks
@baojian123
Copy link
Contributor

Hi @AnneMayor, I have opened a PR on this issue.

@AnneMayor
Copy link
Contributor

Thank, @baojian123 👍

@mp911de mp911de added this to the 3.4 M1 (2024.1.0) milestone Aug 8, 2024
@mp911de mp911de closed this as completed in b41547e Aug 8, 2024
mp911de added a commit that referenced this issue Aug 8, 2024
@mp911de
Polishing.
ba2c9ba 
Remove verifyMode setters on LettuceConnectionFactory to not expose additional properties already exposed via ClientConfiguration.

Deprecate LettuceClientConfiguration.isVerifyPeer in favor of getVerifyMode.

See #2899
Original pull request: #2934
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
3.4 M1 (2024.1.0)
Development

Successfully merging a pull request may close this issue.

Replace verifyPeer with verifyMode baojian123/spring-data-redis
5 participants
@mp911de @philsttr @AnneMayor @baojian123 @spring-projects-issues