Closed y4nnr closed 4 years ago
Those seem like good suggestions. I didn't know about certifi, thanks for sharing. If you would like to open a PR with changes to the readme I'll get it merged quickly.
Thanks for the quick response, I have opened https://github.com/andymccurdy/redis-py/pull/1400
Merged in e4067e8b4441b512cab35039e41160b8a6e3c462
Version: What redis-py and what redis version is the issue happening on? redis-py 3.0
Platform: What platform / version? (For example Python 3.5.1 on Windows 7 / Ubuntu 15.10 / Azure) Python on Ubuntu 19.04
Description: Description of your issue, stack traces from errors and code that reproduces the issue As mentioned in the README, since redis-py 3.0 the default value of the ssl_cert_reqs option changed from None to 'required'. I ran into some issues when configuring redis-py 3.0 to use SSL with an ElastiCache Redis cluster (with encryption in transit ON). My attempts to connect failed when using only "ssl=True" and I dont think it's because of an improper SSL certs received from AWS ElastiCache. I resolved the problem by using "ssl_ca_certs" and setting the path for a ca-certificates.crt. Eventually I decided to use certifi (https://pypi.org/project/certifi/).
I believe the problem could be that python does not use by default a trusted certificate authority bundle leading to the SSL handshake failure since the Amazon-issued TLS certificate cant be verified.
Suggested method in the readme (turning off hostname verification):
Working method with hostname verification (using the local cert bundle):
Working method with hostname verification (using certifi):
Perhaps the recommendation to turn off hostname verification when using AWS ElastiCache could be removed and the suggestion to use a certificate bundle or certifi included ?