Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce ssl_cert_reqs='required' by default #1017

Merged
merged 1 commit into from
Nov 15, 2018
Merged

Enforce ssl_cert_reqs='required' by default #1017

merged 1 commit into from
Nov 15, 2018

Conversation

u2mejc
Copy link
Contributor

@u2mejc u2mejc commented Aug 7, 2018

This resolves #1016

@u2mejc
Copy link
Contributor Author

u2mejc commented Aug 8, 2018

In testing this with a coworker, he pointed out that it's also not possible to use ssl.wrap_socket without passing the ca_certs. This makes the code rigid as it may not be possible the change cert providers without updating your python code.

Example: to accept the current default AWS Elasticache cert on ubuntu, you need to set:
r = redis.StrictRedis(host, ssl=True, ssl_ca_certs='/usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt')

@andymccurdy
Copy link
Contributor

Thanks. Merging this now.

@andymccurdy andymccurdy merged commit 2e6f057 into redis:master Nov 15, 2018
@andymccurdy andymccurdy mentioned this pull request Nov 20, 2018
Closed
@edmorley
Copy link

edmorley commented Nov 26, 2018
edited
Loading

Hi :-)

This was listed under "other changes" in the release notes rather than "backwards incompatible changes", which meant we missed this change when reviewing the upgrade, which resulted in breakage in our staging environment until rolled back (Heroku Redis instances don't support strict SSL at present unfortunately).

Could the release notes be updated?

andymccurdy added a commit that referenced this pull request Nov 29, 2018
@andymccurdy
Backwards Incompatible note about ssl_cert_reqs change
3cdb406 
See #1017
@andymccurdy
Copy link
Contributor

@edmorley Thanks for the heads up. Updated the release notes.

@edmorley edmorley mentioned this pull request Jan 3, 2019
Closed
@laixintao laixintao mentioned this pull request Oct 15, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

redis-py ssl support susceptible to MITM attacks by default
3 participants
@u2mejc @andymccurdy @edmorley