Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL CN name checked failed after Redis Sentinel failover #1812

Closed
aashishamrute opened this issue Jul 20, 2021 · 1 comment
Closed

SSL CN name checked failed after Redis Sentinel failover #1812

aashishamrute opened this issue Jul 20, 2021 · 1 comment
Labels
type: bug A general bug
Milestone
6.0.8

Comments

@aashishamrute
Copy link
Contributor

aashishamrute commented Jul 20, 2021
edited
Loading

Bug Report

Current Behavior

Redis sentinel 3 sentinel and 3 redis node with TLS connection.
First attempt to connect redis with TLS successful, but when master goes down, sentinel elect new master, while connecting to new master, CN name verification failed, as Lettuce lib still using old master host name for verification. It connect to new master but verify certificate CN name against old master.

Please note, issue existed either sentinal announcing IP address or DNS/hostname.

Environment

  • Lettuce version(s): 6.1.1.RELEASE
  • Redis version: 6
@mp911de mp911de added the type: bug A general bug label Jul 20, 2021
@mp911de
Copy link
Collaborator

mp911de commented Jul 20, 2021

This is indeed a bug. The SSL handler is initialized once at connection creation with the SocketAddress reported by sentinel. Upon reconnects, the SSL handler retains its initial SocketAddress but the actual address where the connection reconnect points to is already a different one. We need to provide means to ConnectionWatchdog and ReconnectHandler to re-initialize the ChannelInitializer to ensure that the SSL validation happens against the correct endpoint.

aashishamrute added a commit to aashishamrute/lettuce-core that referenced this issue Aug 30, 2021
@aashishamrute
SSL chanel reinitialize on reconnect (fixes redis#1812)
9d9abb2
@aashishamrute aashishamrute mentioned this issue Sep 1, 2021
Closed
@mp911de mp911de changed the title SSL CN name checked failed after redis sentinel failover SSL CN name checked failed after Redis Sentinel failover Sep 3, 2021
@mp911de mp911de added this to the 6.0.8 milestone Sep 3, 2021
mp911de pushed a commit that referenced this issue Sep 3, 2021
@aashishamrute @mp911de
Update Bootstrap with reconfigured SslChannelInitializer upon rec…
49245ed 
…onnect #1812

Original pull request: #1836.
mp911de added a commit that referenced this issue Sep 3, 2021
@mp911de
Polishing #1812
edb28c9 
Move SslChannelInitializer creation from SslConnectionBuilder into SslChannelInitializer. Tweak method names.

Original pull request: #1836.
mp911de pushed a commit that referenced this issue Sep 3, 2021
@aashishamrute @mp911de
Update Bootstrap with reconfigured SslChannelInitializer upon rec…
96a462d 
…onnect #1812

Original pull request: #1836.
mp911de added a commit that referenced this issue Sep 3, 2021
@mp911de
Polishing #1812
12a9287 
Move SslChannelInitializer creation from SslConnectionBuilder into SslChannelInitializer. Tweak method names.

Original pull request: #1836.
mp911de pushed a commit that referenced this issue Sep 3, 2021
@aashishamrute @mp911de
Update Bootstrap with reconfigured SslChannelInitializer upon rec…
9f7e68b 
…onnect #1812

Original pull request: #1836.
mp911de added a commit that referenced this issue Sep 3, 2021
@mp911de
Polishing #1812
043e337 
Move SslChannelInitializer creation from SslConnectionBuilder into SslChannelInitializer. Tweak method names.

Original pull request: #1836.
@mp911de mp911de closed this as completed Sep 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
6.0.8
Development

Successfully merging a pull request may close this issue.

Update Bootstrap with reconfigured SslChannelInitializer upon reconnect aashishamrute/lettuce-core
2 participants
@mp911de @aashishamrute