Use a trusted CA for Redis certificate

[stof]

Required Terms

• [X] I agree to follow this project's Code of Conduct
• [X] I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

Redis

Tell us about what you're trying to solve. What challenges are you facing?

Support for Redis < 6 is scheduled to end on April 30. And Redis 6 instances on Heroku Redis are requiring the usage of TLS but using a self-signed certificate. This self-signed certificate means that the client code is forced to disable the certificate validation. This makes it harder to use the built-in Redis integrations of frameworks as they might not easily allow to disable that validation.

It would be great if Heroku Redis could use a TLS certificate that is trusted by the root stores available on dynos.

[mperham]

I’m the maintainer of Sidekiq.

This is a big security issue. Every single Sidekiq user wanting to use Heroku Redis has to manually disable certificate verification for TLS, thus opening them up to MITM attacks. I do not understand how this has been allowed to go on for so long as every other Redis service provides verifiable certificates. When will Heroku Redis?

[jagthedrummer]

Please fix this, Heroku.

[jbrown-heroku]

@stof Thank you for raising this important issue. We are investigating how we can address this. We are unlikely to get this enhancement out until 2025, but we are emphasizing this issue to be prioritized.