You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For cluster-mode connections, fully verify certificates and hostnames for seed connections, but only verify certificates (without hostname verification) for discovered cluster node connections where IP addresses are used.
Is your feature request related to a problem? Please describe
When using redis instances provided by cloud providers in cluster mode with SSL enabled, the cloud providers typically provide a certificate that only matches the hostname, and does not contain subject alternative names for the IP addresses in the cluster.
When using SslVerifyMode.FULL, the seed connection will work properly because it is typically made using hostnames, which match the certificate hostname. However, after lettuce discovers all the cluster nodes, and attempts connections to individual cluster nodes, lettuce uses IP addresses, and those connections will fail hostname verification. Therefore, currently SslVerifyMode.FULL cannot be used.
In this case, you currently have to use SslVerifyMode.CA. But that means that the hostname is not verified for the seed connection.
Describe the solution you'd like
I would like an SslVerifyMode that fully verifies the certificate (signature and hostname) on cluster seed connections, but only verifies the certificate (without verifying hostnames) on cluster node connections when IP addresses are used.
A simple implementation would be to have an SslVerifyMode that only performs hostname verification on connections where an actual hostname is used, but does not perform hostname verification where only an ip address is used (which would be the case for cluster node connections by ip). In this case, the connection logic would not know if the connections is a "seed" connection or a specific node connection. It only needs to know the destination.
Describe alternatives you've considered
Using SslVerify.CA will allow all connections to be established, but it does not perform hostname verification on the seed connections as I would like.
SslVerifyMode.FULL_IF_HOSTNAME (naming is hard. better names welcome) - Fully verifies the certificate and its hostname when a connection is made using a hostname, but only verify the certificate (without hostname verification) when a connection is made using an IP address. This is useful when using cluster mode, and the SSL certificate does not contain subject alternative names for IP addresses.
The text was updated successfully, but these errors were encountered:
Feature Request
For cluster-mode connections, fully verify certificates and hostnames for seed connections, but only verify certificates (without hostname verification) for discovered cluster node connections where IP addresses are used.
Is your feature request related to a problem? Please describe
When using redis instances provided by cloud providers in cluster mode with SSL enabled, the cloud providers typically provide a certificate that only matches the hostname, and does not contain subject alternative names for the IP addresses in the cluster.
When using SslVerifyMode.FULL, the seed connection will work properly because it is typically made using hostnames, which match the certificate hostname. However, after lettuce discovers all the cluster nodes, and attempts connections to individual cluster nodes, lettuce uses IP addresses, and those connections will fail hostname verification. Therefore, currently SslVerifyMode.FULL cannot be used.
In this case, you currently have to use SslVerifyMode.CA. But that means that the hostname is not verified for the seed connection.
Describe the solution you'd like
I would like an SslVerifyMode that fully verifies the certificate (signature and hostname) on cluster seed connections, but only verifies the certificate (without verifying hostnames) on cluster node connections when IP addresses are used.
A simple implementation would be to have an SslVerifyMode that only performs hostname verification on connections where an actual hostname is used, but does not perform hostname verification where only an ip address is used (which would be the case for cluster node connections by ip). In this case, the connection logic would not know if the connections is a "seed" connection or a specific node connection. It only needs to know the destination.
Describe alternatives you've considered
Using SslVerify.CA will allow all connections to be established, but it does not perform hostname verification on the seed connections as I would like.
Teachability, Documentation, Adoption, Migration Strategy
SslVerifyMode.FULL_IF_HOSTNAME (naming is hard. better names welcome) - Fully verifies the certificate and its hostname when a connection is made using a hostname, but only verify the certificate (without hostname verification) when a connection is made using an IP address. This is useful when using cluster mode, and the SSL certificate does not contain subject alternative names for IP addresses.
The text was updated successfully, but these errors were encountered: