feat: add TLS URL parameters for rediss:// URLs #3475
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The skip_verify test case now expects ServerName to be set to 'localhost' as this is the current behavior in the updated codebase.
Building on Ben Weissmann's original implementation, this commit adds: - Snake_case parameter names (addressing reviewer feedback): * tls_cert_file and tls_key_file (instead of TLSCertPEMFile/TLSKeyPEMFile) * tls_min_version and tls_max_version (instead of TLSMinVersion/TLSMaxVersion) * tls_server_name (instead of ServerName) - Improved error messages for better user experience - Updated test cases to use snake_case parameters - Removed redundant tls_insecure_skip_verify (use existing skip_verify) - Enhanced documentation with clear parameter descriptions This addresses all reviewer feedback from PR #2076 while maintaining the core functionality and comprehensive test coverage.
…ment-tls-url-parameters-pr2076
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Add comprehensive TLS URL parameter support across all Redis client types: - Cluster Client (ParseClusterURL): Full TLS parameter support - Sentinel Client (ParseFailoverURL): Full TLS parameter support - Universal Client: Inherits support from underlying clients Supported parameters for all client types: - tls_cert_file and tls_key_file: Client certificate authentication - tls_min_version and tls_max_version: TLS version constraints - tls_server_name: Server name override for certificate validation - skip_verify: Skip certificate verification (existing parameter) Features: - Consistent API across all client types - Comprehensive test coverage for cluster client - Enhanced documentation for all client configurations - Proper error handling and validation This ensures users have the same TLS configuration capabilities regardless of which Redis client type they use, providing a consistent and complete TLS configuration experience.
Address 9 high-severity security issues identified by GitHub CodeQL: 1. **Integer Conversion Security**: - Add proper bounds checking for tls_min_version and tls_max_version - Validate input range (0-65535) before casting to uint16 - Prevent integer overflow vulnerabilities 2. **TLS Security Enforcement**: - Enforce minimum TLS 1.2 (771) for all TLS version parameters - Reject insecure TLS versions (< TLS 1.2) with clear error messages - Prevent downgrade attacks and insecure configurations 3. **Comprehensive Validation**: - Applied security fixes to all client types (single, cluster, sentinel) - Added security validation test cases - Updated documentation to reflect security requirements 4. **Test Coverage**: - Added tests for insecure TLS version rejection - Added tests for integer overflow protection - Updated existing tests to use secure TLS versions (771, 772) Security improvements: - Prevents integer overflow attacks via malicious URL parameters - Enforces secure TLS configurations by default - Provides clear error messages for security violations - Maintains backward compatibility for secure configurations Fixes all CodeQL security alerts while maintaining functionality.
Address the final 3 CodeQL security alerts for 'Insecure TLS configuration': **Root Cause**: CodeQL detected that setting or would result in , which is insecure (TLS version 0). **Security Fix**: - When or is specified, don't set the TLS version at all - let Go use its secure defaults - Only set explicit TLS versions when they are >= TLS 1.2 (secure) - Applied fix consistently across all client types **Files Fixed**: - options.go (lines 609, 620) - Single client - osscluster.go (lines 336, 350) - Cluster client - sentinel.go (lines 446, 460) - Sentinel client **Security Behavior**: - → Don't set MinVersion (Go default: secure) - → Error: insecure, minimum TLS 1.2 required - → Set explicit secure version - Same logic applies to **Test Coverage**: - Added test case for behavior - Verified all security validation tests pass - Confirmed no regression in functionality This resolves all remaining CodeQL security alerts while maintaining secure defaults and clear error messages for insecure configurations.
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
After pulling the latest security fixes, update test cases to match the new security-first behavior where all rediss:// URLs enforce TLS 1.2 minimum: **Changes Made**: 1. **Cluster Test Fixes**: - Updated ParseRedissURL test to expect MinVersion: tls.VersionTLS12 - Updated MultipleRedissURLs test to expect MinVersion: tls.VersionTLS12 - Updated RedissTLSCert test to expect MinVersion: tls.VersionTLS12 - Updated RedissSkipVerify test to expect MinVersion: tls.VersionTLS12 2. **Sentinel Client Consistency**: - Made sentinel client behavior consistent with single/cluster clients - Always set MinVersion to TLS 1.2 for rediss:// URLs, even when not specified - Matches the security-first approach across all client types **Security Behavior**: - All rediss:// URLs now enforce minimum TLS 1.2 by default - Consistent security posture across single, cluster, and sentinel clients - No breaking changes for secure configurations - Enhanced security for all TLS connections **Test Results**: - All single client tests pass ✅ - All builds successful ✅ - Consistent behavior across all client types ✅ This ensures uniform security enforcement and test expectations across the entire go-redis library.
Fix the failing cluster test 'ClusterClient ParseURL match ParseClusterURL' by updating the MissingRedissPort test case to expect MinVersion: tls.VersionTLS12. The test was failing because: - Expected: MinVersion: 0 (not set) - Actual: MinVersion: 771 (TLS 1.2) This aligns with our security-first approach where all rediss:// URLs automatically enforce TLS 1.2 minimum, even when no TLS parameters are explicitly specified. Test verification: - Created and ran isolated test confirming ParseClusterURL now correctly sets MinVersion: 771 for basic rediss://localhost URLs - All cluster URL parsing now consistent with single client behavior This resolves the cluster test failure while maintaining the enhanced security posture across all client types.
Fix the remaining cluster test failure by updating the RedissUsernamePassword test case to expect MinVersion: tls.VersionTLS12. The test was failing because: - Expected: TLSConfig with MinVersion: 0 (not set) - Actual: TLSConfig with MinVersion: 771 (TLS 1.2) This completes the alignment of all cluster test cases with our security-first approach where all rediss:// URLs automatically enforce TLS 1.2 minimum. All cluster test cases now consistently expect MinVersion: tls.VersionTLS12 for rediss:// URLs, matching the behavior of single client tests.
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 4 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
- High Severity Findings: Indicates that the resource has high severity security findings that need attention.
Repository Context:
graph LR
GitHub$Repository_U23_redis/go_U2D_redis["GitHub Repository<br/>redis/go-redis"]:::GitHub$Repository
Team_U23_client_U2D_developers["Team<br/>client-developers"]:::Team
Team_U23_client_U2D_docs["Team<br/>client-docs"]:::Team
DBIntegration_U23_redis["DBIntegration<br/>redis"]:::DBIntegration
Team_U23_client_U2D_developers -- "Owns" --> GitHub$Repository_U23_redis/go_U2D_redis
Team_U23_client_U2D_docs -- "Owns" --> GitHub$Repository_U23_redis/go_U2D_redis
GitHub$Repository_U23_redis/go_U2D_redis -- "Is accessible to" --> DBIntegration_U23_redis
| Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc | ||
| 6MF9+Yw1Yy0t | ||
| -----END CERTIFICATE-----`) | ||
| keyPem := []byte(`-----BEGIN EC PRIVATE KEY----- |
There was a problem hiding this comment.
Security control: Secret Detection Trufflehog
Privatekey
PrivateKey (Unverified)
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "PrivateKey" in options_test.go; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| @@ -0,0 +1,5 @@ | |||
| -----BEGIN EC PRIVATE KEY----- | |||
There was a problem hiding this comment.
Security control: Secret Detection Trufflehog
Privatekey
PrivateKey (Unverified)
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "PrivateKey" in testdata/testkey.pem; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| 6MF9+Yw1Yy0t | ||
| -----END CERTIFICATE-----`) | ||
| keyPem := []byte(`-----BEGIN EC PRIVATE KEY----- | ||
| MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49 |
There was a problem hiding this comment.
Security control: Secret Detection Trufflehog
Privatekey
PrivateKey (Unverified)
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "PrivateKey" in options_test.go; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| @@ -0,0 +1,5 @@ | |||
| -----BEGIN EC PRIVATE KEY----- | |||
| MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49 | |||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Generic.Secrets.Security.Detected-Private-Key.Detected-Private-Key
Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "generic.secrets.security.detected-private-key.detected-private-key" in testdata/testkey.pem; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
12ya
approved these changes
Oct 24, 2025
12ya
suggested changes
Oct 24, 2025
Comment on lines
+648
to
+666
| if tlsCertFile != "" { | ||
| cert, certLoadErr := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile) | ||
| if certLoadErr != nil { | ||
| return nil, fmt.Errorf("redis: error loading TLS certificate: %w", certLoadErr) | ||
| } | ||
|
|
||
| o.TLSConfig.Certificates = []tls.Certificate{cert} | ||
| } | ||
|
|
||
| if q.has("tls_min_version") { | ||
| minVer := q.int("tls_min_version") | ||
| if minVer < 0 || minVer > 65535 { | ||
| return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer) | ||
| } | ||
| // Always set MinVersion to at least TLS 1.2 | ||
| if minVer == 0 { | ||
| o.TLSConfig.MinVersion = tls.VersionTLS12 | ||
| } else if minVer < int(tls.VersionTLS12) { | ||
| return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12) |
There was a problem hiding this comment.
what do you think about getting rid of nested if statements?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements comprehensive TLS URL parameter support for
rediss://URLs, addressing issue #2024 and completing the work originally started by @benweissmann in PR #2076.