Skip to content

Client connections created for TLS-based replication use SNI if possible#11458

Merged
yossigo merged 1 commit intoredis:unstablefrom
CatboxParadox:replication-sni
Dec 7, 2022
Merged

Client connections created for TLS-based replication use SNI if possible#11458
yossigo merged 1 commit intoredis:unstablefrom
CatboxParadox:replication-sni

Conversation

@CatboxParadox
Copy link
Contributor

@CatboxParadox CatboxParadox commented Nov 1, 2022

It is not possible to reliably select the target server instance for TLS replication in case that the target sits behind a TLS (terminating or pass-through) proxy, as there's no SNI extension in the ClientHello message sent via the connection created for the sake of replication.

This is a simple attempt at setting the SNI to the value of the master server's address, in case that address is not actually an IP

@yossigo yossigo added the release-notes indication that this issue needs to be mentioned in the release notes label Nov 2, 2022
yossigo
yossigo reviewed Nov 2, 2022
View reviewed changes
Copy link
Collaborator

@yossigo yossigo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CatboxParadox Thanks, this makes sense. Technically, this could be considered a breaking change in extreme cases but I think we can accept it as-is and not make it optional. @redis/core-team any other opinions?

@yossigo yossigo added the breaking-change This change can potentially break existing application label Nov 2, 2022
@oranagra
Copy link
Member

oranagra commented Nov 2, 2022

@yossigo for completeness, can you describe the case and how it'll break?
anyway, i think it certainly ok to release in 7.2

@yossigo
Copy link
Collaborator

yossigo commented Nov 2, 2022

@oranagra It's a breaking change because Redis did not include an SNI in the past and will include it now (when connecting to a hostname, not an IP). Forwarding the connections through a proxy may result in different routing and subsequent connectivity issues, depending on how the proxy is configured.

@oranagra oranagra added the approval-needed Waiting for core team approval to be merged label Nov 20, 2022
@oranagra
Copy link
Member

oranagra commented Nov 22, 2022

conceptually approved in a core team meeting for 7.2

@oranagra oranagra requested a review from yossigo November 22, 2022 16:08
@yossigo yossigo merged commit 049f5d8 into redis:unstable Dec 7, 2022
@CatboxParadox CatboxParadox deleted the replication-sni branch December 7, 2022 13:46
madolson pushed a commit to madolson/redis that referenced this pull request Apr 19, 2023
@CatboxParadox @madolson
Use SNI on outgoing TLS connections (redis#11458)
4325b11 
When establishing an outgoing TLS connection using a hostname as a target, use TLS SNI extensions to include the hostname in use.
@madolson madolson mentioned this pull request Jul 1, 2023
Closed
enjoy-binbin pushed a commit to enjoy-binbin/redis that referenced this pull request Jul 31, 2023
@CatboxParadox @enjoy-binbin
Use SNI on outgoing TLS connections (redis#11458)
b63275e 
When establishing an outgoing TLS connection using a hostname as a target, use TLS SNI extensions to include the hostname in use.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yossigo yossigo yossigo approved these changes

+1 more reviewer

@zeekling zeekling zeekling approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval-needed Waiting for core team approval to be merged breaking-change This change can potentially break existing application release-notes indication that this issue needs to be mentioned in the release notes

Projects

Redis 7.2
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CatboxParadox @oranagra @yossigo @zeekling