Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl_check_hostname parameter is not respected for Redis connections #2210

Open
d9pouces opened this issue Dec 21, 2024 · 0 comments
Open

ssl_check_hostname parameter is not respected for Redis connections #2210

d9pouces opened this issue Dec 21, 2024 · 0 comments

Comments

@d9pouces
Copy link

d9pouces commented Dec 21, 2024
edited
Loading

For testing, I use a redis that only accepts TLS connections, with a certificate that does not match the Redis hostname.

My broker is configured is with the following URL: BROKER_URL = "rediss://:password@localhost:6379/1?ssl_check_hostname=false&ssl_cert_reqs=required&ssl_certfile=./localhost.crt&ssl_keyfile=./localhost.key&ssl_ca_certs=./CA.crt".

ssl_check_hostname is left as-is ("false"), and is evaluated to True when a Redis connection is created:
In kombu/transport/redis.py, we have

connparams == {'host': '0.0.0.0', 'port': 55043, 'username': None, 'password': 'interdiode', 'max_connections': 10, 'socket_timeout': None, 'socket_connect_timeout': None, 'socket_keepalive': None, 'socket_keepalive_options': None, 'health_check_interval': 25, 'retry_on_timeout': None, 'ssl_check_hostname': 'false', 'ssl_certfile': 'tools/localhost.crt', 'ssl_keyfile': 'tools/localhost.key', 'ssl_ca_certs': 'tools/CA.crt', 'connection_class': Connection(), 'db': 1}

If I patch kombu/utils/url.py (line 42) with a boolean interpretation of ssl_check_hostname, everything work as expected.

def parse_url(url):
    # type: (str) -> Dict
    """Parse URL into mapping of components."""
    scheme, host, port, user, password, path, query = _parse_url(url)
    if query:
        keys = [key for key in query.keys() if key.startswith('ssl_')]
        for key in keys:
            if key == "ssl_check_hostname":
                query[key] = query[key].lower() != 'false'
            elif key == 'ssl_cert_reqs':
                query[key] = parse_ssl_cert_reqs(query[key])
                if query[key] is None:
                    logger.warning('Defaulting to insecure SSL behaviour.')

            if 'ssl' not in query:
                query['ssl'] = {}

            query['ssl'][key] = query[key]
            del query[key]

    return dict(transport=scheme, hostname=host,
                port=port, userid=user,
                password=password, virtual_host=path, **query)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@d9pouces