From 3dc337401be604d08e7714556ff3f471dca68710 Mon Sep 17 00:00:00 2001 From: Brian P O'Rourke Date: Sat, 25 Apr 2020 12:05:16 -0700 Subject: [PATCH] Verify certs by default under TLS `SSLContext#set_params` is the step in SSL connection establishment that merges user-provided SSL parameters with "saner defaults". Previously `SSLContext#set_params` was only being called when `ssl_params` was provided to the SSLConnection, so the SSLContexet was left unconfigured. This leads to the surprising default `verify_mode` of `nil`, resulting in SSL connections verifying hostnames but never verifying certificate trust. --- lib/redis/connection/ruby.rb | 4 +++- test/ssl_test.rb | 9 +++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/redis/connection/ruby.rb b/lib/redis/connection/ruby.rb index 1f2c1a405..1c3495978 100644 --- a/lib/redis/connection/ruby.rb +++ b/lib/redis/connection/ruby.rb @@ -263,7 +263,9 @@ def self.connect(host, port, timeout, ssl_params) tcp_sock = TCPSocket.connect(host, port, timeout) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params(ssl_params) if ssl_params && !ssl_params.empty? + + # The provided parameters are merged into OpenSSL::SSL::SSLContext::DEFAULT_PARAMS + ctx.set_params(ssl_params || {}) ssl_sock = new(tcp_sock, ctx) ssl_sock.hostname = host diff --git a/test/ssl_test.rb b/test/ssl_test.rb index d7caa8355..0d2b99cbd 100644 --- a/test/ssl_test.rb +++ b/test/ssl_test.rb @@ -30,6 +30,15 @@ def test_unverified_ssl_connection end end + def test_verify_certificates_by_default + assert_raises(OpenSSL::SSL::SSLError) do + RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("untrusted")) do |port| + redis = Redis.new(:port => port, :ssl => true) + redis.ping + end + end + end + def test_ssl_blocking RedisMock.start({}, ssl_server_opts("trusted")) do |port| redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })