Address the final 3 CodeQL security alerts for 'Insecure TLS configuration':
**Root Cause**:
CodeQL detected that setting or
would result in , which is insecure
(TLS version 0).
**Security Fix**:
- When or is specified, don't set
the TLS version at all - let Go use its secure defaults
- Only set explicit TLS versions when they are >= TLS 1.2 (secure)
- Applied fix consistently across all client types
**Files Fixed**:
- options.go (lines 609, 620) - Single client
- osscluster.go (lines 336, 350) - Cluster client
- sentinel.go (lines 446, 460) - Sentinel client
**Security Behavior**:
- → Don't set MinVersion (Go default: secure)
- → Error: insecure, minimum TLS 1.2 required
- → Set explicit secure version
- Same logic applies to
**Test Coverage**:
- Added test case for behavior
- Verified all security validation tests pass
- Confirmed no regression in functionality
This resolves all remaining CodeQL security alerts while maintaining
secure defaults and clear error messages for insecure configurations.
Add comprehensive TLS URL parameter support across all Redis client types:
- Cluster Client (ParseClusterURL): Full TLS parameter support
- Sentinel Client (ParseFailoverURL): Full TLS parameter support
- Universal Client: Inherits support from underlying clients
Supported parameters for all client types:
- tls_cert_file and tls_key_file: Client certificate authentication
- tls_min_version and tls_max_version: TLS version constraints
- tls_server_name: Server name override for certificate validation
- skip_verify: Skip certificate verification (existing parameter)
Features:
- Consistent API across all client types
- Comprehensive test coverage for cluster client
- Enhanced documentation for all client configurations
- Proper error handling and validation
This ensures users have the same TLS configuration capabilities
regardless of which Redis client type they use, providing a
consistent and complete TLS configuration experience.
* Fix hard code of failing timeout
1. if not set failing time limit, default is 15 seconds.
* feat: Complete configurable FailingTimeoutSeconds implementation
---------
Co-authored-by: Shino Wu <shino_wu@trendmicro.com>
- replace two similar functions `appendUniqueNode` and `appendIfNotExists` with a generic function.
- simplify the implementation of the `get` method in `clusterNodes`
- keep the member name `_generation` of `clusterNodes` consistent with other types.
- rename a data member `_masterAddr` to `masterAddr`.
Signed-off-by: Xiaolong Chen <fukua95@gmail.com>
* fix(txpipeline): keyless commands should take the slot of the keyed commands
* fix(txpipeline): extract only keyed cmds from all cmds
* chore(test): Add tests for keyless cmds and txpipeline
* fix(cmdSlot): Add preferred random slot
* fix(cmdSlot): Add shortlist of keyless cmds
* chore(test): Fix ring test
* fix(keylessCommands): Add list of keyless commands
Add list of keyless Commands based on the Commands output
for redis 8
* chore(txPipeline): refactor slottedCommands impl
* fix(osscluster): typo
* fix(txpipeline): should return error on multi/exec on multiple slots
* fix(txpipeline): test normal tx pipeline behaviour
* chore(err): Extract crossslot err and add test
* fix(txpipeline): short curcuit the tx if there are no commands
* chore(tests): validate keys are in different slots
* wip
* update documentation
* add streamingcredentialsprovider in options
* fix: put back option in pool creation
* add package level comment
* Initial re authentication implementation
Introduces the StreamingCredentialsProvider as the CredentialsProvider
with the highest priority.
TODO: needs to be tested
* Change function type name
Change CancelProviderFunc to UnsubscribeFunc
* add tests
* fix race in tests
* fix example tests
* wip, hooks refactor
* fix build
* update README.md
* update wordlist
* update README.md
* refactor(auth): early returns in cred listener
* fix(doctest): simulate some delay
* feat(conn): add close hook on conn
* fix(tests): simulate start/stop in mock credentials provider
* fix(auth): don't double close the conn
* docs(README): mark streaming credentials provider as experimental
* fix(auth): streamline auth err proccess
* fix(auth): check err on close conn
* chore(entraid): use the repo under redis org
* migrate golangci-lint config to v2 format
* chore: skip CI on migration [skip ci]
* Bump golangci version
* Address several golangci-lint/staticcheck warnings
* change staticchecks settings
* fix: handle network error on SETINFO
This fix addresses potential out of order responses as described in `CVE-2025-29923`
* fix: deprecate DisableIndentity and introduce DisableIdentity
Both options will work before V10. In v10 DisableIndentity will be dropped. The preferred flag to use is `DisableIdentity`.
* fix: add unstableresp3 to cluster client
* propagate unstableresp3
* proper test that will ignore error, but fail if client panics
* add separate test for clusterclient constructor
Resolve a race condition in the clusterNodes.Addrs() method.
Previously, the method returned a reference to a string slice, creating
the potential for concurrent reads by the caller while the slice was
being modified by the garbage collection process.
Co-authored-by: Nedyalko Dyakov <nedyalko.dyakov@gmail.com>
* Only check latencies once every 10 seconds with `routeByLatency`
`routeByLatency` currently checks latencies any time a server returns
a MOVED or READONLY reply. When a shard is down, the ClusterClient
chooses to issue the request to a random server, which returns a MOVED
reply. This causes a state refresh and a latency update on all servers.
This can lead to significant ping load to clusters with a large number
of clients.
This introduces logic to ping only once every 10 seconds, only
performing a latency update on a node during the `GC` function if the
latency was set later than 10 seconds ago.
Fixes https://github.com/redis/go-redis/issues/2782
* use UnixNano instead of Unix for better precision
---------
Co-authored-by: ofekshenawa <104765379+ofekshenawa@users.noreply.github.com>
