Skip to content

fix(redis): RedisClusterBroker silently drops TLS config from BaseSecurity#2935

Merged
Lancetnik merged 2 commits into
mainfrom
fix/redis-cluster-tls-security
Jul 14, 2026
Merged

fix(redis): RedisClusterBroker silently drops TLS config from BaseSecurity#2935
Lancetnik merged 2 commits into
mainfrom
fix/redis-cluster-tls-security

Conversation

@Lancetnik

Copy link
Copy Markdown
Member

Description

RedisClusterBroker silently dropped TLS when configured with BaseSecurity(use_ssl=True): parse_security() conveys TLS via connection_class: SSLConnection, but CLUSTER_INCOMPATIBLE_PARAMS filters connection_class out in _resolve_url_options(), so RedisCluster(**opts) received zero SSL config and connected over plaintext (timing out against TLS-only clusters such as AWS MemoryDB). Introduced in #2854.

Fixes #2909

What changed

  • RedisClusterBroker._resolve_url_options now translates TLS intent into RedisCluster's native ssl=True flag after the incompatible-params filter. This covers both BaseSecurity(use_ssl=True) and rediss:// URLs (which hit the same silent-drop path via parse_url's connection_class). setdefault is used so explicit user ssl/ssl_* kwargs are preserved, and the injected ssl option also flows into the sync Pub/Sub cluster client, which already reads it.
  • Custom ssl_context on cluster: the async RedisCluster constructor has no ssl_context/connection_class parameter (verified against redis-py 7.4), so the fix proposed in the issue would raise TypeError at connect time. Instead a RuntimeWarning is emitted telling the user to use the ssl_ca_certs/ssl_certfile/ssl_keyfile/ssl_* options, while ssl=True is still applied — no more silent plaintext.
  • _parse_base_security (plain RedisBroker): the generated SSLConnection._connection_arguments passed ssl: None when no explicit ssl_context was given, which disables TLS in asyncio.open_connection — the same bug in the non-cluster broker. It now falls back to ssl: True (default SSL context).

Verified end-to-end that the options produced by the broker construct a RedisCluster whose connection_kwargs["connection_class"] is redis-py's own SSLConnection, and that the issue's repro assertions are resolved.

Type of change

  • Bug fix (a non-breaking change that resolves an issue)

Checklist

  • My code adheres to the style guidelines of this project (just lint shows no errors)
  • I have conducted a self-review of my own code
  • I have made the necessary changes to the documentation
  • My changes do not generate any new warnings
  • I have added tests to validate the effectiveness of my fix or the functionality of my new feature
  • Both new and existing unit tests pass successfully on my local environment
  • I have ensured that static analysis tests are passing by running just static-analysis
  • I have included code examples to illustrate the modifications

🤖 Generated with Claude Code

BaseSecurity(use_ssl=True) conveys TLS via connection_class, which
CLUSTER_INCOMPATIBLE_PARAMS filters out of the cluster connection
options — so RedisClusterBroker silently connected over plaintext.
Translate it to RedisCluster's native `ssl` flag instead (also for
rediss:// URLs), and warn when a custom ssl_context is provided since
RedisCluster cannot accept one.

Also fix _parse_base_security to fall back to ssl=True when no
explicit ssl_context is given — previously it passed ssl=None,
disabling TLS for the plain RedisBroker as well.

Fixes #2909

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions github-actions Bot added the Redis Issues related to `faststream.redis` module and Redis features label Jul 14, 2026
@Lancetnik Lancetnik added this pull request to the merge queue Jul 14, 2026
Merged via the queue into main with commit 7ea84bf Jul 14, 2026
30 checks passed
@Lancetnik Lancetnik deleted the fix/redis-cluster-tls-security branch July 14, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Redis Issues related to `faststream.redis` module and Redis features

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RedisClusterBroker silently drops TLS config from BaseSecurity

2 participants