search

redis / redis-py

Redis Python client
MIT License
12.61k stars 2.52k forks source link

SSL configuration for hostname verification #1399

Closed y4nnr closed 4 years ago

y4nnr commented 4 years ago

Version: What redis-py and what redis version is the issue happening on? redis-py 3.0

Platform: What platform / version? (For example Python 3.5.1 on Windows 7 / Ubuntu 15.10 / Azure) Python on Ubuntu 19.04

Description: Description of your issue, stack traces from errors and code that reproduces the issue As mentioned in the README, since redis-py 3.0 the default value of the ssl_cert_reqs option changed from None to 'required'. I ran into some issues when configuring redis-py 3.0 to use SSL with an ElastiCache Redis cluster (with encryption in transit ON). My attempts to connect failed when using only "ssl=True" and I dont think it's because of an improper SSL certs received from AWS ElastiCache. I resolved the problem by using "ssl_ca_certs" and setting the path for a ca-certificates.crt. Eventually I decided to use certifi (https://pypi.org/project/certifi/).

I believe the problem could be that python does not use by default a trusted certificate authority bundle leading to the SSL handshake failure since the Amazon-issued TLS certificate cant be verified.

Suggested method in the readme (turning off hostname verification):

>>> import redis
>>> r = redis.Redis(host='xxxxxx.cache.amazonaws.com',port=6379, db=0, ssl=True, ssl_cert_reqs=None)
>>> r.set('foo', 'bar')
True
>>> r.get('foo')
b'bar'

Working method with hostname verification (using the local cert bundle):

>>> import redis
>>> r = redis.Redis(host='xxxxxx.cache.amazonaws.com',port=6379, db=0, ssl=True, ssl_ca_certs='/etc/ssl/certs/ca-certificates.crt')
>>> r.set('foo', 'bar')
True
>>> r.get('foo')
b'bar'

Working method with hostname verification (using certifi):

>>> import redis, certifi
>>> r = redis.Redis(host='xxxxxx.cache.amazonaws.com',port=6379, db=0, ssl=True, ssl_ca_certs=certifi.where())
>>> r.set('foo', 'bar')
True
>>> r.get('foo')
b'bar'

Perhaps the recommendation to turn off hostname verification when using AWS ElastiCache could be removed and the suggestion to use a certificate bundle or certifi included ?

andymccurdy commented 4 years ago

Those seem like good suggestions. I didn't know about certifi, thanks for sharing. If you would like to open a PR with changes to the readme I'll get it merged quickly.

y4nnr commented 4 years ago

Thanks for the quick response, I have opened https://github.com/andymccurdy/redis-py/pull/1400

andymccurdy commented 4 years ago

Merged in e4067e8b4441b512cab35039e41160b8a6e3c462