Skip to content

fix: add SNI servername for TLS connection from host field#2105

Open
dougEfresh wants to merge 3 commits into
redis:mainfrom
dougefresher:main
Open

fix: add SNI servername for TLS connection from host field#2105
dougEfresh wants to merge 3 commits into
redis:mainfrom
dougefresher:main

Conversation

@dougEfresh

@dougEfresh dougEfresh commented Apr 20, 2026

Copy link
Copy Markdown

If servername field is not explicitly set then use host field for SNI identification.
This allows TLS terminating proxies to determine which cert to serve.


Note

Low Risk
Small, localized change to connection option construction plus targeted tests; behavior only changes when TLS is used without an explicit servername.

Overview
StandaloneConnector now auto-populates TLS servername from the configured host when TLS is enabled and servername isn’t explicitly provided, while skipping IP hosts to avoid invalid SNI.

Unit tests were extended to cover the new SNI defaulting behavior for hostname vs IP host values.

Reviewed by Cursor Bugbot for commit 61db0c1. Bugbot is set up for automated code reviews on this repo. Configure here.

…licitly set

This allows TLS terminating proxies to determine which cert to serve
@jit-ci

jit-ci Bot commented Apr 20, 2026

Copy link
Copy Markdown

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

@jit-ci

jit-ci Bot commented Apr 20, 2026

Copy link
Copy Markdown

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR


Security scan by Jit

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 461c4cc. Configure here.

Comment thread lib/connectors/StandaloneConnector.ts
@PavelPashov

Copy link
Copy Markdown
Contributor

@dougEfresh Thanks for the contribution. Could you also add a test that reproduces this issue and verifies that the solution works as expected?

@dougEfresh

Copy link
Copy Markdown
Author

@PavelPashov I added a couple of tests

@PavelPashov PavelPashov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this as-is. As a small follow-up, it may be worth applying the same servername fallback in the Sentinel connector as well, so TLS behavior stays consistent across connection modes.

Comment on lines 42 to 50
if (options.tls) {
Object.assign(connectionOptions, options.tls);
if ("host" in connectionOptions && !("servername" in connectionOptions)) {
const host = (connectionOptions as TcpOptions).host;
if (host && !isIP(host)) {
(connectionOptions as any).servername = host;
}
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding the tls.servername even when tls is undefined would be a good improvement.

In my case, where I'm using only the tls.servername, I would need to set an empty tls: {} to trigger this servername logic, which would be kinda weird.

I believe setting the servername for non-TLS connections isn't a breaking change, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants