[7.5] Backport #4495: Enforce hostname verification by default for TLS connections#4497
Merged
Conversation
Enable HTTPS endpoint identification algorithm by default in DefaultJedisSocketFactory when ssl(true) is used without custom SSLParameters. Add tests (Jedis, RedisClient, RedisClusterClient, RedisSentinelClient) to verify hostname verification failure when certificate CN/SAN doesn't match the connection hostname. Users can still override by providing custom SSLParameters. Fixes: CAE-2794
…Options" This reverts commit 36fed37.
…ters config Mark legacy SSL configuration (ssl, sslSocketFactory, sslParameters getters and builder setters) as @deprecated since 7.4.2 in favor of SslOptions, and update JedisClientConfig / SslOptions Javadoc.
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #4495 to 7.5.
Enables HTTPS endpoint identification by default in
DefaultJedisSocketFactorywhen
ssl(true)is used without customSSLParameters, closing the hostnameverification bypass. Deprecates the low-level SSL config methods
(
getSslSocketFactory,getSslParameters, and the corresponding buildersetters) in favor of
SslOptions, and addsSslOptions.defaults()as aone-line migration from
ssl(true).See #4495 for behavior change and fallback options.
Fixes: CAE-2794
Note
High Risk
Behavior changes in TLS socket creation now enforce HTTPS endpoint identification by default, which can break existing deployments that relied on connecting via IP/incorrect hostnames. Changes touch connection security defaults and related config APIs.
Overview
TLS connections created via legacy
ssl(true)now enable hostname verification by default by applyingSSLParameterswith HTTPS endpoint identification inDefaultJedisSocketFactorywhen callers don’t supply custom parameters.Legacy low-level SSL configuration (
getSslSocketFactory,getSslParameters, and the correspondingDefaultJedisClientConfig.Buildersetters includingssl(boolean)) is deprecated in favor ofSslOptions, andSslOptions.defaults()is added as a one-line migration path.Integration tests and test fixtures are updated to cover hostname-mismatch failures across standalone,
RedisClient, cluster, and sentinel TLS setups, including explicit opt-out via customSSLParameters, plus new*-wronghostendpoints and sentinel config tweaks to use hostnames.Reviewed by Cursor Bugbot for commit 8d91535. Bugbot is set up for automated code reviews on this repo. Configure here.