Skip to content

Commit f092532

Browse files
petyaslavovapetyaslavova
committed
Changing the default value for ssl_check_hostname to True, to ensure security validations are not skipped by default
1 parent 7f14301 commit f092532

File tree

10 files changed

+42
-16
lines changed

10 files changed

+42
-16
lines changed

docs/examples/ssl_connection_examples.ipynb

+11-8
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,10 @@
3434
"import redis\n",
3535
"\n",
3636
"r = redis.Redis(\n",
37-
" host='localhost', \n",
38-
" port=6666, \n",
39-
" ssl=True, \n",
37+
" host='localhost',\n",
38+
" port=6666,\n",
39+
" ssl=True,\n",
40+
" ssl_check_hostname=False,\n",
4041
" ssl_cert_reqs=\"none\",\n",
4142
")\n",
4243
"r.ping()"
@@ -68,7 +69,7 @@
6869
"source": [
6970
"import redis\n",
7071
"\n",
71-
"r = redis.from_url(\"rediss://localhost:6666?ssl_cert_reqs=none&decode_responses=True&health_check_interval=2\")\n",
72+
"r = redis.from_url(\"rediss://localhost:6666?ssl_cert_reqs=none&ssl_check_hostname=False&decode_responses=True&health_check_interval=2\")\n",
7273
"r.ping()"
7374
]
7475
},
@@ -99,13 +100,14 @@
99100
"import redis\n",
100101
"\n",
101102
"redis_pool = redis.ConnectionPool(\n",
102-
" host=\"localhost\", \n",
103-
" port=6666, \n",
104-
" connection_class=redis.SSLConnection, \n",
103+
" host=\"localhost\",\n",
104+
" port=6666,\n",
105+
" connection_class=redis.SSLConnection,\n",
106+
" ssl_check_hostname=False,\n",
105107
" ssl_cert_reqs=\"none\",\n",
106108
")\n",
107109
"\n",
108-
"r = redis.StrictRedis(connection_pool=redis_pool) \n",
110+
"r = redis.StrictRedis(connection_pool=redis_pool)\n",
109111
"r.ping()"
110112
]
111113
},
@@ -141,6 +143,7 @@
141143
" port=6666,\n",
142144
" ssl=True,\n",
143145
" ssl_min_version=ssl.TLSVersion.TLSv1_3,\n",
146+
" ssl_check_hostname=False,\n",
144147
" ssl_cert_reqs=\"none\",\n",
145148
")\n",
146149
"r.ping()"

redis/asyncio/client.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ def __init__(
241241
ssl_cert_reqs: Union[str, VerifyMode] = "required",
242242
ssl_ca_certs: Optional[str] = None,
243243
ssl_ca_data: Optional[str] = None,
244-
ssl_check_hostname: bool = False,
244+
ssl_check_hostname: bool = True,
245245
ssl_min_version: Optional[TLSVersion] = None,
246246
ssl_ciphers: Optional[str] = None,
247247
max_connections: Optional[int] = None,

redis/asyncio/cluster.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -271,7 +271,7 @@ def __init__(
271271
ssl_ca_data: Optional[str] = None,
272272
ssl_cert_reqs: Union[str, VerifyMode] = "required",
273273
ssl_certfile: Optional[str] = None,
274-
ssl_check_hostname: bool = False,
274+
ssl_check_hostname: bool = True,
275275
ssl_keyfile: Optional[str] = None,
276276
ssl_min_version: Optional[TLSVersion] = None,
277277
ssl_ciphers: Optional[str] = None,

redis/asyncio/connection.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -794,7 +794,7 @@ def __init__(
794794
ssl_cert_reqs: Union[str, ssl.VerifyMode] = "required",
795795
ssl_ca_certs: Optional[str] = None,
796796
ssl_ca_data: Optional[str] = None,
797-
ssl_check_hostname: bool = False,
797+
ssl_check_hostname: bool = True,
798798
ssl_min_version: Optional[TLSVersion] = None,
799799
ssl_ciphers: Optional[str] = None,
800800
**kwargs,

redis/client.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,7 @@ def __init__(
223223
ssl_ca_certs: Optional[str] = None,
224224
ssl_ca_path: Optional[str] = None,
225225
ssl_ca_data: Optional[str] = None,
226-
ssl_check_hostname: bool = False,
226+
ssl_check_hostname: bool = True,
227227
ssl_password: Optional[str] = None,
228228
ssl_validate_ocsp: bool = False,
229229
ssl_validate_ocsp_stapled: bool = False,

redis/connection.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -1028,7 +1028,7 @@ def __init__(
10281028
ssl_cert_reqs="required",
10291029
ssl_ca_certs=None,
10301030
ssl_ca_data=None,
1031-
ssl_check_hostname=False,
1031+
ssl_check_hostname=True,
10321032
ssl_ca_path=None,
10331033
ssl_password=None,
10341034
ssl_validate_ocsp=False,

tests/test_asyncio/test_cluster.py

+8-1
Original file line numberDiff line numberDiff line change
@@ -3109,7 +3109,9 @@ async def test_ssl_with_invalid_cert(
31093109
async def test_ssl_connection(
31103110
self, create_client: Callable[..., Awaitable[RedisCluster]]
31113111
) -> None:
3112-
async with await create_client(ssl=True, ssl_cert_reqs="none") as rc:
3112+
async with await create_client(
3113+
ssl=True, ssl_check_hostname=False, ssl_cert_reqs="none"
3114+
) as rc:
31133115
assert await rc.ping()
31143116

31153117
@pytest.mark.parametrize(
@@ -3125,6 +3127,7 @@ async def test_ssl_connection_tls12_custom_ciphers(
31253127
) -> None:
31263128
async with await create_client(
31273129
ssl=True,
3130+
ssl_check_hostname=False,
31283131
ssl_cert_reqs="none",
31293132
ssl_min_version=ssl.TLSVersion.TLSv1_2,
31303133
ssl_ciphers=ssl_ciphers,
@@ -3136,6 +3139,7 @@ async def test_ssl_connection_tls12_custom_ciphers_invalid(
31363139
) -> None:
31373140
async with await create_client(
31383141
ssl=True,
3142+
ssl_check_hostname=False,
31393143
ssl_cert_reqs="none",
31403144
ssl_min_version=ssl.TLSVersion.TLSv1_2,
31413145
ssl_ciphers="foo:bar",
@@ -3157,6 +3161,7 @@ async def test_ssl_connection_tls13_custom_ciphers(
31573161
# TLSv1.3 does not support changing the ciphers
31583162
async with await create_client(
31593163
ssl=True,
3164+
ssl_check_hostname=False,
31603165
ssl_cert_reqs="none",
31613166
ssl_min_version=ssl.TLSVersion.TLSv1_2,
31623167
ssl_ciphers=ssl_ciphers,
@@ -3172,6 +3177,7 @@ async def test_validating_self_signed_certificate(
31723177
ssl=True,
31733178
ssl_ca_certs=self.ca_cert,
31743179
ssl_cert_reqs="required",
3180+
ssl_check_hostname=False,
31753181
ssl_certfile=self.client_cert,
31763182
ssl_keyfile=self.client_key,
31773183
) as rc:
@@ -3187,6 +3193,7 @@ async def test_validating_self_signed_string_certificate(
31873193
ssl=True,
31883194
ssl_ca_data=cert_data,
31893195
ssl_cert_reqs="required",
3196+
ssl_check_hostname=False,
31903197
ssl_certfile=self.client_cert,
31913198
ssl_keyfile=self.client_key,
31923199
) as rc:

tests/test_asyncio/test_connect.py

+6-1
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ async def test_tcp_ssl_tls12_custom_ciphers(tcp_address, ssl_ciphers):
6868
socket_timeout=10,
6969
ssl_min_version=ssl.TLSVersion.TLSv1_2,
7070
ssl_ciphers=ssl_ciphers,
71+
ssl_check_hostname=False,
7172
)
7273
await _assert_connect(
7374
conn, tcp_address, certfile=server_certs.certfile, keyfile=server_certs.keyfile
@@ -95,12 +96,16 @@ async def test_tcp_ssl_connect(tcp_address, ssl_min_version):
9596
host=host,
9697
port=port,
9798
client_name=_CLIENT_NAME,
99+
ssl_check_hostname=False,
98100
ssl_ca_certs=server_certs.ca_certfile,
99101
socket_timeout=10,
100102
ssl_min_version=ssl_min_version,
101103
)
102104
await _assert_connect(
103-
conn, tcp_address, certfile=server_certs.certfile, keyfile=server_certs.keyfile
105+
conn,
106+
tcp_address,
107+
certfile=server_certs.certfile,
108+
keyfile=server_certs.keyfile,
104109
)
105110
await conn.disconnect()
106111

tests/test_connect.py

+2
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ def test_tcp_ssl_connect(tcp_address, ssl_min_version):
5858
conn = SSLConnection(
5959
host=host,
6060
port=port,
61+
ssl_check_hostname=False,
6162
client_name=_CLIENT_NAME,
6263
ssl_ca_certs=server_certs.ca_certfile,
6364
socket_timeout=10,
@@ -90,6 +91,7 @@ def test_tcp_ssl_tls12_custom_ciphers(tcp_address, ssl_ciphers):
9091
socket_timeout=10,
9192
ssl_min_version=ssl.TLSVersion.TLSv1_2,
9293
ssl_ciphers=ssl_ciphers,
94+
ssl_check_hostname=False,
9395
)
9496
_assert_connect(
9597
conn, tcp_address, certfile=server_certs.certfile, keyfile=server_certs.keyfile

tests/test_ssl.py

+10-1
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,13 @@ def test_ssl_with_invalid_cert(self, request):
3737
def test_ssl_connection(self, request):
3838
ssl_url = request.config.option.redis_ssl_url
3939
p = urlparse(ssl_url)[1].split(":")
40-
r = redis.Redis(host=p[0], port=p[1], ssl=True, ssl_cert_reqs="none")
40+
r = redis.Redis(
41+
host=p[0],
42+
port=p[1],
43+
ssl=True,
44+
ssl_check_hostname=False,
45+
ssl_cert_reqs="none",
46+
)
4147
assert r.ping()
4248
r.close()
4349

@@ -98,6 +104,7 @@ def test_ssl_connection_tls12_custom_ciphers(self, request, ssl_ciphers):
98104
host=p[0],
99105
port=p[1],
100106
ssl=True,
107+
ssl_check_hostname=False,
101108
ssl_cert_reqs="none",
102109
ssl_min_version=ssl.TLSVersion.TLSv1_3,
103110
ssl_ciphers=ssl_ciphers,
@@ -112,6 +119,7 @@ def test_ssl_connection_tls12_custom_ciphers_invalid(self, request):
112119
host=p[0],
113120
port=p[1],
114121
ssl=True,
122+
ssl_check_hostname=False,
115123
ssl_cert_reqs="none",
116124
ssl_min_version=ssl.TLSVersion.TLSv1_2,
117125
ssl_ciphers="foo:bar",
@@ -136,6 +144,7 @@ def test_ssl_connection_tls13_custom_ciphers(self, request, ssl_ciphers):
136144
host=p[0],
137145
port=p[1],
138146
ssl=True,
147+
ssl_check_hostname=False,
139148
ssl_cert_reqs="none",
140149
ssl_min_version=ssl.TLSVersion.TLSv1_2,
141150
ssl_ciphers=ssl_ciphers,

0 commit comments

Comments
 (0)