From 62a56aa6b16f07612cec4b11428d070333a3527f Mon Sep 17 00:00:00 2001 From: ofekshenawa Date: Thu, 14 Aug 2025 17:13:13 +0300 Subject: [PATCH] fix: update test expectations for consistent TLS 1.2 enforcement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After pulling the latest security fixes, update test cases to match the new security-first behavior where all rediss:// URLs enforce TLS 1.2 minimum: **Changes Made**: 1. **Cluster Test Fixes**: - Updated ParseRedissURL test to expect MinVersion: tls.VersionTLS12 - Updated MultipleRedissURLs test to expect MinVersion: tls.VersionTLS12 - Updated RedissTLSCert test to expect MinVersion: tls.VersionTLS12 - Updated RedissSkipVerify test to expect MinVersion: tls.VersionTLS12 2. **Sentinel Client Consistency**: - Made sentinel client behavior consistent with single/cluster clients - Always set MinVersion to TLS 1.2 for rediss:// URLs, even when not specified - Matches the security-first approach across all client types **Security Behavior**: - All rediss:// URLs now enforce minimum TLS 1.2 by default - Consistent security posture across single, cluster, and sentinel clients - No breaking changes for secure configurations - Enhanced security for all TLS connections **Test Results**: - All single client tests pass ✅ - All builds successful ✅ - Consistent behavior across all client types ✅ This ensures uniform security enforcement and test expectations across the entire go-redis library. --- osscluster_test.go | 8 ++++---- sentinel.go | 6 ++++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/osscluster_test.go b/osscluster_test.go index 4c3ec6a5..a9ee373b 100644 --- a/osscluster_test.go +++ b/osscluster_test.go @@ -1637,7 +1637,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== }, { test: "ParseRedissURL", url: "rediss://localhost:123", - o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost"}}, + o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}}, }, { test: "MissingRedisPort", url: "redis://localhost", @@ -1653,7 +1653,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== }, { test: "MultipleRedissURLs", url: "rediss://localhost:123?addr=localhost:1234&addr=localhost:12345", - o: &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost"}}, + o: &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}}, }, { test: "RedissTLSParams", url: "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true", @@ -1661,11 +1661,11 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== }, { test: "RedissTLSCert", url: "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem", - o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", Certificates: []tls.Certificate{testCert}}}, + o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}}, }, { test: "RedissSkipVerify", url: "rediss://localhost:123?skip_verify=true", - o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", InsecureSkipVerify: true}}, + o: &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}}, }, { test: "OnlyPassword", url: "redis://:bar@localhost:123", diff --git a/sentinel.go b/sentinel.go index 6ec7cad8..1f854c6c 100644 --- a/sentinel.go +++ b/sentinel.go @@ -439,15 +439,17 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions, if minVer < 0 || minVer > 65535 { return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer) } - // Handle TLS version setting securely + // Always enforce TLS 1.2 as minimum if minVer == 0 { - // Explicitly set MinVersion to TLS 1.2 for security o.TLSConfig.MinVersion = tls.VersionTLS12 } else if minVer < int(tls.VersionTLS12) { return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12) } else { o.TLSConfig.MinVersion = uint16(minVer) } + } else { + // If not specified, always set minimum to TLS 1.2 + o.TLSConfig.MinVersion = tls.VersionTLS12 } if q.has("tls_max_version") { maxVer := q.int("tls_max_version")