redis/go-redis
1
0
Fork 0
mirror of https://github.com/redis/go-redis.git synced 2025-09-02 22:01:16 +03:00
Code Activity

fix: update test expectations for consistent TLS 1.2 enforcement

Browse Source 
After pulling the latest security fixes, update test cases to match the new
security-first behavior where all rediss:// URLs enforce TLS 1.2 minimum:

**Changes Made**:
1. **Cluster Test Fixes**:
   - Updated ParseRedissURL test to expect MinVersion: tls.VersionTLS12
   - Updated MultipleRedissURLs test to expect MinVersion: tls.VersionTLS12
   - Updated RedissTLSCert test to expect MinVersion: tls.VersionTLS12
   - Updated RedissSkipVerify test to expect MinVersion: tls.VersionTLS12

2. **Sentinel Client Consistency**:
   - Made sentinel client behavior consistent with single/cluster clients
   - Always set MinVersion to TLS 1.2 for rediss:// URLs, even when not specified
   - Matches the security-first approach across all client types

**Security Behavior**:
- All rediss:// URLs now enforce minimum TLS 1.2 by default
- Consistent security posture across single, cluster, and sentinel clients
- No breaking changes for secure configurations
- Enhanced security for all TLS connections

**Test Results**:
- All single client tests pass 
- All builds successful 
- Consistent behavior across all client types 

This ensures uniform security enforcement and test expectations across
the entire go-redis library.
This commit is contained in:
ofekshenawa
2025-08-14 17:13:13 +03:00
parent 2614ca0e7e
commit 62a56aa6b1
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
osscluster_test.go
View File

@@ -1637,7 +1637,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
}, {
test: "ParseRedissURL",
url: "rediss://localhost:123",
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
}, {
test: "MissingRedisPort",
url: "redis://localhost",
@@ -1653,7 +1653,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
}, {
test: "MultipleRedissURLs",
url: "rediss://localhost:123?addr=localhost:1234&addr=localhost:12345",
o: &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
o: &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
}, {
test: "RedissTLSParams",
url: "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true",
@@ -1661,11 +1661,11 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
}, {
test: "RedissTLSCert",
url: "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", Certificates: []tls.Certificate{testCert}}},
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}},
}, {
test: "RedissSkipVerify",
url: "rediss://localhost:123?skip_verify=true",
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", InsecureSkipVerify: true}},
o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},
}, {
test: "OnlyPassword",
url: "redis://:bar@localhost:123",

6
sentinel.go
View File

@@ -439,15 +439,17 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions,
if minVer < 0 || minVer > 65535 {
return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
}
// Handle TLS version setting securely
// Always enforce TLS 1.2 as minimum
if minVer == 0 {
// Explicitly set MinVersion to TLS 1.2 for security
o.TLSConfig.MinVersion = tls.VersionTLS12
} else if minVer < int(tls.VersionTLS12) {
return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
} else {
o.TLSConfig.MinVersion = uint16(minVer)
}
} else {
// If not specified, always set minimum to TLS 1.2
o.TLSConfig.MinVersion = tls.VersionTLS12
}
if q.has("tls_max_version") {
maxVer := q.int("tls_max_version")