spring-data-redis icon indicating copy to clipboard operation
spring-data-redis copied to clipboard
verified publisher icon spring-projects

Support Lettuce SSL/TLS Verification Modes

Open philsttr opened this issue 1 year ago • 5 comments

Lettuce 6.1.0.RELEASE added support for three SSL/TLS verification modes (SslVerifyMode):

  • NONE (corresponds with setVerifyPeer(false))
  • CA (only verifies the CA and cert, without verifying the hostname matches)
  • FULL (corresponds with setVerifyPeer(true))

The new CA mode is most helpful for cluster mode, where the seed connection is made via hostname (and thus matches hostnames in the certificate), but then cluster node connections are made by IP address (which typically do not appear in SubjectAltNames of the certificate, particularly for redis instances from cloud providers).

Currently, Spring Data Redis only supports setVerifyPeer(boolean). I would like Spring Data Redis to support the three verification modes that Lettuce >= 6.1 now supports.

philsttr avatar Apr 21 '24 17:04 philsttr

Also somewhat related, I filed https://github.com/redis/lettuce/issues/2837 to request an enhancement to verification modes to better secure connecting to redis in cluster mode from cloud providers.

philsttr avatar Apr 22 '24 18:04 philsttr

I think this is a good issue to approach for me. I am going to open PR within this weekend :)

AnneMayor avatar May 28 '24 10:05 AnneMayor

Since I have to do my work as soon as quickly I am going to open this PR until the end of June. Thanks.

AnneMayor avatar Jun 02 '24 02:06 AnneMayor

Hi @AnneMayor, I have opened a PR on this issue.

baojian123 avatar Jun 30 '24 11:06 baojian123

Thank, @baojian123 👍

AnneMayor avatar Jun 30 '24 12:06 AnneMayor