New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client connections created for TLS-based replication use SNI if possible #11458
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CatboxParadox Thanks, this makes sense. Technically, this could be considered a breaking change in extreme cases but I think we can accept it as-is and not make it optional. @redis/core-team any other opinions?
@yossigo for completeness, can you describe the case and how it'll break? |
@oranagra It's a breaking change because Redis did not include an SNI in the past and will include it now (when connecting to a hostname, not an IP). Forwarding the connections through a proxy may result in different routing and subsequent connectivity issues, depending on how the proxy is configured. |
conceptually approved in a core team meeting for 7.2 |
When establishing an outgoing TLS connection using a hostname as a target, use TLS SNI extensions to include the hostname in use.
When establishing an outgoing TLS connection using a hostname as a target, use TLS SNI extensions to include the hostname in use.
When establishing an outgoing TLS connection using a hostname as a target, use TLS SNI extensions to include the hostname in use.
It is not possible to reliably select the target server instance for TLS replication in case that the target sits behind a TLS (terminating or pass-through) proxy, as there's no SNI extension in the ClientHello message sent via the connection created for the sake of replication.
This is a simple attempt at setting the SNI to the value of the master server's address, in case that address is not actually an IP