Skip to content

fix: enforce Redis TLS certificate verification for rate limiter#614

Merged
winhowes merged 2 commits intomainfrom
codex/propose-fix-for-redis-tls-vulnerability
Apr 13, 2026
Merged

fix: enforce Redis TLS certificate verification for rate limiter#614
winhowes merged 2 commits intomainfrom
codex/propose-fix-for-redis-tls-vulnerability

Conversation

@winhowes
Copy link
Copy Markdown
Owner

@winhowes winhowes commented Apr 13, 2026

Motivation

  • Close a security regression where rediss:// connections disabled certificate validation via InsecureSkipVerify, allowing on‑path attackers to impersonate Redis and capture AUTH credentials or tamper with rate limiting state.
  • Ensure operators who opt into TLS get authentic server verification by default.

Description

  • Removed the fallback that set tls.Config.InsecureSkipVerify = true when --redis-ca was not provided so TLS connections perform normal certificate verification by default in both allowRedis and retryAfterRedis.
  • Updated the --redis-ca flag description (removed the wording implying it "disables InsecureSkipVerify").
  • Modified the existing tests in app/redis_tls_auth_test.go to assert that rediss:// with an untrusted certificate fails verification unless a CA is provided, and renamed the test to TestRateLimiterRedisTLSAuthRequiresVerification.

Testing

  • Ran the package test suite with go test ./app and all tests passed.
  • The modified TLS verification tests exercise both failure without a CA and success when a CA is supplied (existing tests cover the latter), validating the behavior change.

Codex Task

@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 13, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1365aaf460

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/redis_tls_auth_test.go
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 13, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Apr 13, 2026

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@winhowes winhowes merged commit 1cc56dc into main Apr 13, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@winhowes