Option to configure SSL/TLS verification level #1460
Comments
|
What a few drivers provide is a SSL mode enum (like disabled, enabled, verify ca, verify full). On the other side, there are several ways how to verify a certificate (subject/SAN check, issuer trust relationship, validity period, fingerprinting). Especially fingerprint checking gains on popularity. I wonder whether we can combine these aspects somehow. |
|
Probably, there's a misconception. Java's What we can do here is introducing an SSL verification level as we're additionally configuring That intent could be expressed through |
|
Is there any other option to implement this than providing custom X509ExtendedTrustManager to sslContextBuilder in SslConnectionBuilder ? sslContextBuilder.trustManager(new TrustManagerFactory(new TrustManagerFactorySpi() {
@Override
protected void engineInit(KeyStore keyStore) {
// NOOP
}
@Override
protected TrustManager[] engineGetTrustManagers() {
// Provide a custom trust manager, this manager trust all certificates
return new TrustManager[] {
new X509ExtendedTrustManager() {
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType,
final Socket socket) throws CertificateException
{
// NOOP
}
@Override
public void checkServerTrusted(final X509Certificate[] chain, final String authType,
final Socket socket) throws CertificateException
{
// NOOP
}
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType,
final SSLEngine engine) throws CertificateException
{
// NOOP
}
@Override
public void checkServerTrusted(final X509Certificate[] chain, final String authType,
final SSLEngine engine) throws CertificateException
{
// NOOP
}
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s) {
// NOOP
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s) {
// NOOP
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
}
};
}
@Override
protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
}
}, null, TrustManagerFactory.getDefaultAlgorithm()) {
}); |
RedisURI.setVerifyPeer(…) now accepts SslVerifyMode to configure the level of SSL verification. setVerifyPeer(true) (default) maps to FULL, setVerifyPeer(false) maps to NONE. SslVerifyMode.CA allows verifying the certificate validity using the default (or configured) trust manager without peer name verification.
|
That's in place now via |
|
can TLS 1.2 be configured now using Lettuce?? |
|
Yes, via |
|
cool thanks |
If we are using Spring Data Redis with Lettuce Client then how can we set this flag. Currently I do not see any provision to set this up who are using spring data redis |
Feature Request
Need an option to only skip host name verification of the server certificate.
Typically when using AWS Redis the host name is a random name.
So we use a pre-defined DNS name for it instead but then the certificate by AWS will not match the hostname.
There is an option called "verifyPeer" but when that is set to false not only host name verification is skipped also all kinds of verification of certificates are skipped. So that option can't be use in production.
Describe the solution you'd like
A dedicated option to only skip host name verification just like standard SSL factory has.
Describe alternatives you've considered
Teachability, Documentation, Adoption, Migration Strategy
The text was updated successfully, but these errors were encountered: