redis-py icon indicating copy to clipboard operation
redis-py copied to clipboard
verified publisher icon redis

I’m having a problem connecting with redis-py using TLS

Open GoodManWEN opened this issue 2 years ago • 7 comments

Version: What redis-py and what redis version is the issue happening on? redis-py: latest redis: 6.0.13

Platform: What platform / version? (For example Python 3.5.1 on Windows 7 / Ubuntu 15.10 / Azure) ubuntu 22.04

Description: Description of your issue, stack traces from errors and code that reproduces the issue Hi all, I want to use TLS to protect my connection. In short what I did is that I generated five files: server.crt, server.key, client.crt, client.key, and ca.crt, and then started redis-server using the following command: redis-server --tls-port 6666 --port 0 --tls-cert-file ./server.crt --tls-key-file ./server.key --tls-ca-cert-file ./ca.crt

The good news is that I can connect to this TLS port with redis-cli using the command redis-cli --tls -p 6666 --cert ./client.crt --key ./client.key --cacert ./ca.crt and send ping/pong commands normally and everything just works fine. However, the bad news is that I can’t get redis-py to work using the same configuration.”

I'm using the following code:

import redis.asyncio as aioredis
import asyncio

async def main():
    conn = await aioredis.Redis(
        host='localhost',
        port=6666,
        ssl=True,
        ssl_certfile='client.crt',
        ssl_keyfile='client.key',
        ssl_cert_reqs="required",
        ssl_ca_certs='ca.crt',
    )
    print(await conn.ping())

asyncio.run(main())

Getting the error message:

...
  File "C:\Program Files\Python310\lib\asyncio\sslproto.py", line 188, in feed_ssldata
    self._sslobj.do_handshake()
  File "C:\Program Files\Python310\lib\ssl.py", line 975, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate signature failure (_ssl.c:997)

During handling of the above exception, another exception occurred:

...
  File "C:\Program Files\Python310\lib\site-packages\redis\asyncio\connection.py", line 613, in connect
    raise ConnectionError(self._error_message(e))
redis.exceptions.ConnectionError: Error 1 connecting to localhost:6666. 1.

I would like to know if I am doing something wrong or if this is a bug. Thanks!

GoodManWEN avatar Mar 28 '23 03:03 GoodManWEN

ca_crt.txt client_crt.txt client_key.txt server_crt.txt server_key.txt

GoodManWEN avatar Mar 28 '23 03:03 GoodManWEN

After upgrading to pip package redis==4.5.3, I am observing very similar SSL ConnectionError. Redis: 5.0.6 + GhostTunnel (Dockers: redis:5.0.6-alpine + squareup/ghostunnel:v1.5.0) Client: Python 3.8.16 on Google App Engine Standard (Ubuntu 20.04 LTS under the hood)

PEM SSL certificate generated by openssl req -new -x509 -days <DAYS> -nodes ...

Not reproducible after reverting to redis==3.3.8. Not reproducible with same local setup (redis==4.5.3 + Dockers) with Python 3.8.16 on Ubuntu 22.10.

Traceback (most recent call last):
  File "/layers/google.python.pip/pip/lib/python3.8/site-packages/redis/connection.py", line 865, in read_response
    response = self._parser.read_response(disable_decoding=disable_decoding)
  File "/layers/google.python.pip/pip/lib/python3.8/site-packages/redis/connection.py", line 346, in read_response
    result = self._read_response(disable_decoding=disable_decoding)
  File "/layers/google.python.pip/pip/lib/python3.8/site-packages/redis/connection.py", line 356, in _read_response
    raw = self._buffer.readline()
  File "/layers/google.python.pip/pip/lib/python3.8/site-packages/redis/connection.py", line 259, in readline
    self._read_from_socket()
  File "/layers/google.python.pip/pip/lib/python3.8/site-packages/redis/connection.py", line 209, in _read_from_socket
    data = self._sock.recv(socket_read_size)
  File "/layers/google.python.runtime/python/lib/python3.8/ssl.py", line 1226, in recv
    return self.read(buflen)
  File "/layers/google.python.runtime/python/lib/python3.8/ssl.py", line 1101, in read
    return self._sslobj.read(len)
ConnectionResetError: [Errno 104] Connection reset by peer

alex-kowalczyk avatar Mar 30 '23 07:03 alex-kowalczyk

@alex-kowalczyk Thank you for your reply. After your suggestion, I reverted to Python version 3.8 and redis-py version 4.2.0. I used the same code and was able to successfully connect via TLS. Therefore, it should be possible to conclude that the current version is behaving in a buggy way.

GoodManWEN avatar Mar 30 '23 09:03 GoodManWEN

I wonder if this is related to this issue that I am seeing: https://github.com/redis/redis-py/issues/2406#issuecomment-1472861856

cancan101 avatar Apr 05 '23 18:04 cancan101

@GoodManWEN Are you using the same version of python for all of this? There was some certificate hardening/changes in the post 3.6 world. and I'd like to make sure we're looking at a comparison of equals

chayim avatar Apr 16 '23 06:04 chayim

@GoodManWEN Are you using the same version of python for all of this? There was some certificate hardening/changes in the post 3.6 world. and I'd like to make sure we're looking at a comparison of equals

No, I didn’t perform rigorous testing because I wasn’t sure if the issue was caused by a code error or a bug when I submitted it. What I can confirm is that Python 3.10 + the latest redis-py doesn’t work with tls, while it works fine after reverting to Python 3.8 + redis-py 4.20, both of which use the same code and certificate.

I think it would be helpful to pinpoint the problem if someone in the community could submit a table that shows whether the test code for TLS works with various Python versions in combination with various redis-py.

GoodManWEN avatar Apr 16 '23 09:04 GoodManWEN

This issue is marked stale. It will be closed in 30 days if it is not updated.

github-actions[bot] avatar Apr 16 '24 00:04 github-actions[bot]