redis-py icon indicating copy to clipboard operation
redis-py copied to clipboard

Published 20 hours ago verified publisher icon redis

Asking for an option to deactivate x509 strict mode for TLS connections

Open devl00p opened this issue 5 months ago • 1 comments

Hello,

We are using Google Cloud for our python jobs using Redis. When we tried to upgrade some of our code to Python 3.13 we noticed that our jobs could not access our hosted Redis instance.

This is related to the Python 3.13 change: https://docs.python.org/3/whatsnew/3.13.html#ssl

The VERIFY_X509_STRICT is now used by default by Python 3.13 and unfortunately the certificates generated by the cloud provider don't have that TLS x509 extension.

Currently:

  • I can't recreate the server certificate which is handled by the cloud provider
  • I can't find a parameter on the redis-py client to deactivate the x509 strict mode
  • I'm stuck with Python 3.12

One solution would be to completely deactivate the certificate checking but this is something we can't do for security purpose.

Would it be possible to have a way to deactivate x509 strict mode inside Redis-py ?

I looked at existing parameters and didn't see something helpful.

The error message we get:

redis.exceptions.ConnectionError: Error 1 connecting to redis-production:6378. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028).

Best regards

devl00p avatar Jun 25 '25 14:06 devl00p

Hi @devl00p, You're absolutely right — at the moment, it's not possible to configure verify_flags for the client's SSL context. I’ll try to add support for this in the coming weeks, but I can’t guarantee exactly when I’ll be able to implement and merge it. If you have some time, feel free to open a PR adding it as a configurable option when creating the client — that would be very welcome!

petyaslavova avatar Jun 27 '25 16:06 petyaslavova

Hacky workaround I'm using temporarily until this is fixed:

import os
import ssl
from typing import Mapping

from redis.asyncio import Redis as AsyncRedis
from redis.asyncio import SSLConnection

class RelaxedSSLConnection(SSLConnection):
    def _connection_arguments(self) -> Mapping:
        kwargs = super()._connection_arguments()
        ssl_context = self.ssl_context.get()
        if hasattr(ssl, "VERIFY_X509_STRICT"):
            ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_STRICT

        if hasattr(ssl, "VERIFY_X509_PARTIAL_CHAIN"):
            ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_PARTIAL_CHAIN

        kwargs["ssl"] = ssl_context  # type: ignore
        return kwargs


_redis_connection = AsyncRedis(
    host=HOST,
    port=PORT,
    ssl=True,
    ssl_ca_certs=os.path.expanduser(REDIS_TLS_CERT_LOCATION),
    ssl_cert_reqs="required",
)
_redis_connection.connection_pool.connection_class = RelaxedSSLConnection

danconnell avatar Aug 26 '25 01:08 danconnell

I could test the beta release and I can tell it works well :) Thank you

Will a stable release be available soon ?

devl00p avatar Sep 30 '25 12:09 devl00p

I could test the beta release and I can tell it works well :) Thank you

Will a stable release be available soon ?

We should release a GA version in a few weeks.

petyaslavova avatar Oct 02 '25 06:10 petyaslavova