Merge pull request #900 from bpo/verify-ssl-certs

Fix TLS connections not verified by default
redis · May 1, 2020 · 67a59b4 · 67a59b4
2 parents 976c272 + 3dc3374
commit 67a59b4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/lib/redis/connection/ruby.rb b/lib/redis/connection/ruby.rb
@@ -263,7 +263,9 @@ def self.connect(host, port, timeout, ssl_params)
           tcp_sock = TCPSocket.connect(host, port, timeout)
 
           ctx = OpenSSL::SSL::SSLContext.new
-          ctx.set_params(ssl_params) if ssl_params && !ssl_params.empty?
+
+          # The provided parameters are merged into OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+          ctx.set_params(ssl_params || {})
 
           ssl_sock = new(tcp_sock, ctx)
           ssl_sock.hostname = host

diff --git a/test/ssl_test.rb b/test/ssl_test.rb
@@ -30,6 +30,15 @@ def test_unverified_ssl_connection
       end
     end
 
+    def test_verify_certificates_by_default
+      assert_raises(OpenSSL::SSL::SSLError) do
+        RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("untrusted")) do |port|
+          redis = Redis.new(:port => port, :ssl => true)
+          redis.ping
+        end
+      end
+    end
+
     def test_ssl_blocking
       RedisMock.start({}, ssl_server_opts("trusted")) do |port|
         redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })