Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RedisURI.applySsl(…) does not retain SslVerifyMode #2328

Closed
jacob-pro opened this issue Feb 15, 2023 · 4 comments
Closed

RedisURI.applySsl(…) does not retain SslVerifyMode #2328

jacob-pro opened this issue Feb 15, 2023 · 4 comments
Labels
type: bug A general bug
Milestone
6.2.3.RELEASE

Comments

@jacob-pro
Copy link
Contributor

jacob-pro commented Feb 15, 2023
edited
Loading

Current Behavior

When using RedisClusterClient the SslVerifyMode.CA mode is not respected.

When attaching a debugger I can see the initial call to the cluster succeeds, but the RedisURI is then updated with the incorrect mode, and subsequent calls fail.

Stack trace 
2023-02-14_18:10:14.37717 Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
2023-02-14_18:10:14.37726       at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
2023-02-14_18:10:14.37736       at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
2023-02-14_18:10:14.37745       at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
2023-02-14_18:10:14.37755       at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429)
2023-02-14_18:10:14.37765       at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
2023-02-14_18:10:14.37778       at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
2023-02-14_18:10:14.37782       at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:234)
2023-02-14_18:10:14.37786       at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:748)
2023-02-14_18:10:14.37792       at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
2023-02-14_18:10:14.37795       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:645)
2023-02-14_18:10:14.37798       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1255)
2023-02-14_18:10:14.37801       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
2023-02-14_18:10:14.37804       at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:217)
2023-02-14_18:10:14.37913       at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)

Input Code

Input Code 
val uri = RedisURI.builder()
    .withSsl(true)
    .withHost("localhost")
    .withPort(6379)
    .withVerifyPeer(SslVerifyMode.CA)
    .build();

try (var clusterClient = RedisClusterClient.create(uri)) {
    try (var connection = clusterClient.connect()) {
        ...
    }
}

Environment

  • Lettuce version(s): 6.2.2.RELEASE
  • Redis version: 7.0.8

Possible Solution

I'm fairly certain the bug is coming from here:

https://github.com/lettuce-io/lettuce-core/blob/dcd7085f18e453cc2624b673f8da1c9fb56c9fe0/src/main/java/io/lettuce/core/RedisURI.java#L623-L630

The SslVerifyMode is not being fully propagated to the new RedisURIs.

I have opened a PR for this: #2329

Additional context

I think what has happened was when this commit added the SslVerifyMode.CA the code, the applySsl() function wasn't updated.

Relates to: #1460
@jacob-pro jacob-pro mentioned this issue Feb 15, 2023
Merged
@mp911de mp911de changed the title SslVerifyMode.CA mode does not work with cluster connections RedisURI. applySsl(…) does not retain SslVerifyMode Feb 15, 2023
@mp911de mp911de added the type: bug A general bug label Feb 15, 2023
@mp911de
Copy link
Collaborator

mp911de commented Feb 15, 2023

Thanks for the report and your bug fix. This is an oversight on our end and we need to fix it.

@mp911de mp911de added this to the 6.2.3.RELEASE milestone Feb 15, 2023
mp911de pushed a commit that referenced this issue Feb 15, 2023
@jacob-pro
Apply SslVerifyMode in RedisURI. applySsl(…) #2328
07a0e5b 
Co-authored-by: Jacob Halsey <jacob.d.halsey@oracle.com>
Original pull request: #2329
mp911de pushed a commit that referenced this issue Feb 15, 2023
@jacob-pro @mp911de
Apply SslVerifyMode in RedisURI. applySsl(…) #2328
85713fa 
Co-authored-by: Jacob Halsey <jacob.d.halsey@oracle.com>
Original pull request: #2329
@mp911de
Copy link
Collaborator

mp911de commented Feb 15, 2023

That's fixed now.

@mp911de mp911de closed this as completed Feb 15, 2023
@mp911de mp911de changed the title RedisURI. applySsl(…) does not retain SslVerifyMode RedisURI.applySsl(…) does not retain SslVerifyMode Feb 15, 2023
@jacob-pro
Copy link
Contributor Author

Thank you for the fast response and review! Any idea when this will be released?

@mp911de
Copy link
Collaborator

mp911de commented Feb 15, 2023

I'm a bit torn because I have little bandwidth these days. On the other side, Spring Data Redis could pick Lettuce up by Friday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
6.2.3.RELEASE
Development

No branches or pull requests
2 participants
@mp911de @jacob-pro