Fix redis ssl issues 4
This commit is contained in:
@@ -173,9 +173,68 @@ class RedisConnectionManager:
|
||||
if ssl_kwargs:
|
||||
client_params['ssl'] = True
|
||||
client_params['ssl_cert_reqs'] = ssl_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE)
|
||||
client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
|
||||
client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
|
||||
client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
|
||||
|
||||
# For Kubernetes environments, try to use mounted TLS certificates
|
||||
# These are typically mounted at /tls/redis-cert.pem, /tls/redis-key.pem, /tls/ca-cert.pem
|
||||
import os
|
||||
ca_certs_path = os.getenv('REDIS_CA_CERTS_PATH', '/tls/ca-cert.pem')
|
||||
certfile_path = os.getenv('REDIS_CERTFILE_PATH', '/tls/redis-cert.pem')
|
||||
keyfile_path = os.getenv('REDIS_KEYFILE_PATH', '/tls/redis-key.pem')
|
||||
|
||||
# Use environment variables or mounted files if they exist
|
||||
if os.path.exists(ca_certs_path):
|
||||
client_params['ssl_ca_certs'] = ca_certs_path
|
||||
elif ssl_kwargs.get('ssl_ca_certs'):
|
||||
client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
|
||||
|
||||
if os.path.exists(certfile_path):
|
||||
client_params['ssl_certfile'] = certfile_path
|
||||
elif ssl_kwargs.get('ssl_certfile'):
|
||||
client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
|
||||
|
||||
if os.path.exists(keyfile_path):
|
||||
client_params['ssl_keyfile'] = keyfile_path
|
||||
elif ssl_kwargs.get('ssl_keyfile'):
|
||||
client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
|
||||
|
||||
# Add additional SSL context parameters for better compatibility
|
||||
# These help with SSL handshake issues and protocol compatibility
|
||||
client_params['ssl_check_hostname'] = False # Disable hostname verification for self-signed certs
|
||||
|
||||
# Add SSL context with specific protocol versions for better compatibility
|
||||
# This helps with "wrong version number" and "unexpected eof" SSL errors
|
||||
import ssl as ssl_module
|
||||
ssl_context = ssl_module.create_default_context(
|
||||
purpose=ssl_module.Purpose.SERVER_AUTH,
|
||||
cafile=client_params.get('ssl_ca_certs')
|
||||
)
|
||||
ssl_context.check_hostname = False
|
||||
ssl_context.verify_mode = client_params.get('ssl_cert_reqs', ssl_module.CERT_NONE)
|
||||
|
||||
# Set minimum TLS version for better security and compatibility
|
||||
# TLS 1.2 is widely supported and secure enough for internal cluster communication
|
||||
ssl_context.minimum_version = ssl_module.TLSVersion.TLSv1_2
|
||||
|
||||
# If client certificates are provided, load them
|
||||
if client_params.get('ssl_certfile') and client_params.get('ssl_keyfile'):
|
||||
ssl_context.load_cert_chain(
|
||||
certfile=client_params.get('ssl_certfile'),
|
||||
keyfile=client_params.get('ssl_keyfile')
|
||||
)
|
||||
|
||||
client_params['ssl_context'] = ssl_context
|
||||
|
||||
# Debug: Log the SSL configuration being used
|
||||
self.logger.debug(
|
||||
"redis_ssl_config",
|
||||
ssl_enabled=True,
|
||||
ssl_cert_reqs=client_params.get('ssl_cert_reqs'),
|
||||
ssl_ca_certs=client_params.get('ssl_ca_certs'),
|
||||
ssl_certfile=client_params.get('ssl_certfile'),
|
||||
ssl_keyfile=client_params.get('ssl_keyfile'),
|
||||
ssl_check_hostname=False,
|
||||
ssl_minimum_version="TLSv1_2"
|
||||
)
|
||||
|
||||
self._client = redis.Redis(**client_params)
|
||||
else:
|
||||
@@ -196,11 +255,8 @@ class RedisConnectionManager:
|
||||
redis_url,
|
||||
**connection_kwargs
|
||||
)
|
||||
|
||||
self._client = redis.Redis(connection_pool=self._pool)
|
||||
|
||||
# Create Redis client with pool
|
||||
self._client = redis.Redis(connection_pool=self._pool)
|
||||
self._client = redis.Redis(connection_pool=self._pool)
|
||||
|
||||
# Test connection
|
||||
await self._client.ping()
|
||||
|
||||
Reference in New Issue
Block a user