Skip to content

feat: add TLS URL parameters for rediss:// URLs #3475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
+328 −6
Open

feat: add TLS URL parameters for rediss:// URLs #3475

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
c1e788b
feat: add TLS URL parameters
benweissmann Apr 20, 2022
2e2225e
fix: update test case for current TLS behavior
ofekshenawa Aug 14, 2025
185f6ab
feat: improve TLS URL parameters with snake_case naming
ofekshenawa Aug 14, 2025
3ba4a9a
Merge branch 'master' of https://github.com/redis/go-redis into imple…
ofekshenawa Aug 14, 2025
8c57646
feat: extend TLS URL parameters to all client types
ofekshenawa Aug 14, 2025
85cfa2d
security: fix CodeQL security vulnerabilities in TLS parameters
ofekshenawa Aug 14, 2025
a070b72
security: fix remaining CodeQL insecure TLS configuration alerts
ofekshenawa Aug 14, 2025
1cfe757
Potential fix for code scanning alert no. 15: Insecure TLS configuration
ofekshenawa Aug 14, 2025
a443622
Potential fix for code scanning alert no. 13: Insecure TLS configuration
ofekshenawa Aug 14, 2025
2614ca0
Potential fix for code scanning alert no. 14: Insecure TLS configuration
ofekshenawa Aug 14, 2025
62a56aa
fix: update test expectations for consistent TLS 1.2 enforcement
ofekshenawa Aug 14, 2025
8ff9a76
fix: update cluster test expectations for TLS 1.2 enforcement
ofekshenawa Aug 14, 2025
835d6ef
fix: update RedissUsernamePassword test case for TLS 1.2 enforcement
ofekshenawa Aug 14, 2025
5060993
Merge branch 'master' into implement-tls-url-parameters-pr2076
ofekshenawa Aug 14, 2025
7add47d
Merge branch 'master' into implement-tls-url-parameters-pr2076
ofekshenawa Aug 22, 2025
56829d4
Merge branch 'master' into implement-tls-url-parameters-pr2076
ndyakov Sep 2, 2025
15872f5
Merge branch 'master' into implement-tls-url-parameters-pr2076
ndyakov Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,10 @@
// names will be treated as unknown parameters
// - unknown parameter names will result in an error
// - use "skip_verify=true" to ignore TLS certificate validation
// - for rediss:// URLs, additional TLS parameters are supported:
// - tls_cert_file and tls_key_file: paths to client certificate and key files
// - tls_min_version and tls_max_version: TLS version constraints (e.g., 771 for TLS 1.2)
// - tls_server_name: override server name for certificate validation
//
// Examples:
//
Expand Down Expand Up @@ -575,6 +579,39 @@
} else {
o.ConnMaxLifetime = q.duration("max_conn_age")
}

if u.Scheme == "rediss" {
tlsCertFile := q.string("tls_cert_file")
tlsKeyFile := q.string("tls_key_file")

if (tlsCertFile == "") != (tlsKeyFile == "") {
return nil, fmt.Errorf("redis: tls_cert_file and tls_key_file URL parameters must be both set or both omitted")
}

if tlsCertFile != "" {
cert, certLoadErr := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
if certLoadErr != nil {
return nil, fmt.Errorf("redis: error loading TLS certificate: %w", certLoadErr)
}

o.TLSConfig.Certificates = []tls.Certificate{cert}
}

if q.has("tls_min_version") {
o.TLSConfig.MinVersion = uint16(q.int("tls_min_version"))
}
if q.has("tls_max_version") {
o.TLSConfig.MaxVersion = uint16(q.int("tls_max_version"))
}

tlsServerName := q.string("tls_server_name")
if tlsServerName != "" {
// we explicitly check for this query parameter, so we don't overwrite
// the default server name (the hostname of the Redis server) if it's
// not given
o.TLSConfig.ServerName = tlsServerName
}
}
if q.err != nil {
return nil, q.err
}
Expand Down
75 changes: 73 additions & 2 deletions options_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,27 @@ import (
)

func TestParseURL(t *testing.T) {
certPem := []byte(`-----BEGIN CERTIFICATE-----
MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
6MF9+Yw1Yy0t
-----END CERTIFICATE-----`)
keyPem := []byte(`-----BEGIN EC PRIVATE KEY-----
Copy link

@jit-ci jit-ci bot Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection Trufflehog

Privatekey

PrivateKey (Unverified)

Severity: HIGH

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "PrivateKey" in options_test.go; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
Copy link

@jit-ci jit-ci bot Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection Trufflehog

Privatekey

PrivateKey (Unverified)

Severity: HIGH

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "PrivateKey" in options_test.go; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
-----END EC PRIVATE KEY-----`)
testCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
t.Fatal(err)
}

cases := []struct {
url string
o *Options // expected value
Expand All @@ -29,10 +50,27 @@ func TestParseURL(t *testing.T) {
o: &Options{Addr: "12345:6379"},
}, {
url: "rediss://localhost:123",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ /* no deep comparison */ }},
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
}, {
url: "rediss://localhost:123?tls_server_name=abc&tls_min_version=1&tls_max_version=3&skip_verify=true",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 1, MaxVersion: 3, InsecureSkipVerify: true}},
}, {
url: "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}},
}, {
url: "rediss://localhost:123?tls_cert_file=./testdata/doesnotexist.pem&tls_key_file=./testdata/testkey.pem",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "abc"}},
err: errors.New("redis: error loading TLS certificate: open ./testdata/doesnotexist.pem: no such file or directory"),
}, {
url: "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "abc"}},
err: errors.New("redis: tls_cert_file and tls_key_file URL parameters must be both set or both omitted"),
}, {
url: "rediss://localhost:123?tls_key_file=./testdata/testkey.pem",
err: errors.New("redis: tls_cert_file and tls_key_file URL parameters must be both set or both omitted"),
}, {
url: "rediss://localhost:123/?skip_verify=true",
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{InsecureSkipVerify: true}},
o: &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},
}, {
url: "redis://:bar@localhost:123",
o: &Options{Addr: "localhost:123", Password: "bar"},
Expand Down Expand Up @@ -197,6 +235,39 @@ func comprareOptions(t *testing.T, actual, expected *Options) {
if actual.ConnMaxLifetime != expected.ConnMaxLifetime {
t.Errorf("ConnMaxLifetime: got %v, expected %v", actual.ConnMaxLifetime, expected.ConnMaxLifetime)
}

if (actual.TLSConfig == nil) != (expected.TLSConfig == nil) {
t.Errorf("TLSConfig nil: got %v, expected %v", actual.TLSConfig == nil, expected.TLSConfig == nil)
}

if (actual.TLSConfig != nil) && (expected.TLSConfig != nil) {
if actual.TLSConfig.MinVersion != expected.TLSConfig.MinVersion {
t.Errorf("TLSConfig.MinVersion: got %v, expected %v", actual.TLSConfig.MinVersion, expected.TLSConfig.MinVersion)
}

if actual.TLSConfig.MaxVersion != expected.TLSConfig.MaxVersion {
t.Errorf("TLSConfig.MaxVersion: got %v, expected %v", actual.TLSConfig.MaxVersion, expected.TLSConfig.MaxVersion)
}

if actual.TLSConfig.ServerName != expected.TLSConfig.ServerName {
t.Errorf("TLSConfig.ServerName: got %v, expected %v", actual.TLSConfig.ServerName, expected.TLSConfig.ServerName)
}

if actual.TLSConfig.InsecureSkipVerify != expected.TLSConfig.InsecureSkipVerify {
t.Errorf("TLSConfig.InsecureSkipVerify: got %v, expected %v", actual.TLSConfig.InsecureSkipVerify, expected.TLSConfig.InsecureSkipVerify)
}

if len(actual.TLSConfig.Certificates) != len(expected.TLSConfig.Certificates) {
t.Errorf("TLSConfig.Certificates: got %v, expected %v", actual.TLSConfig.Certificates, expected.TLSConfig.Certificates)
}

for i, actualCert := range actual.TLSConfig.Certificates {
expectedCert := expected.TLSConfig.Certificates[i]
if !actualCert.Leaf.Equal(expectedCert.Leaf) {
t.Errorf("TLSConfig.Certificates[%d].Leaf: got %v, expected %v", i, actual.TLSConfig.Certificates, expected.TLSConfig.Certificates)
}
}
}
}

// Test ReadTimeout option initialization, including special values -1 and 0.
Expand Down
11 changes: 11 additions & 0 deletions testdata/testcert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
6MF9+Yw1Yy0t
-----END CERTIFICATE-----
5 changes: 5 additions & 0 deletions testdata/testkey.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
Copy link

@jit-ci jit-ci bot Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection Trufflehog

Privatekey

PrivateKey (Unverified)

Severity: HIGH

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "PrivateKey" in testdata/testkey.pem; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
Copy link

@jit-ci jit-ci bot Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Semgrep Pro

Generic.Secrets.Security.Detected-Private-Key.Detected-Private-Key

Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "generic.secrets.security.detected-private-key.detected-private-key" in testdata/testkey.pem; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
-----END EC PRIVATE KEY-----
Loading