luo980/hiredis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge dcc450626c into 77bcc73ebb

Browse Source
This commit is contained in:
Michael Kaufmann 2025-02-12 14:18:41 +00:00 committed by GitHub
commit 6798992267
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hiredis_ssl.h
View File

@ -112,8 +112,9 @@ int redisInitOpenSSL(void);
* certificate and private key files to use for authentication. They need to
* be both specified or omitted.
*
* server_name is an optional and will be used as a server name indication
* (SNI) TLS extension.
* server_name is optional and will be used as a server name indication (SNI)
* TLS extension and to validate the hostname of the server's certificate
* (this requires OpenSSL 1.1.0 or newer).
*
* If error is non-null, it will be populated in case the context creation fails
* (returning a NULL).

20
ssl.c
View File

@ -54,6 +54,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include "win32.h"
#include "async_private.h"
@ -97,6 +98,14 @@ typedef struct redisSSL {
/* Forward declaration */
redisContextFuncs redisContextSSLFuncs;
/**
* OpenSSL hostname validation for OpenSSL >= 1.1.0
* Reference: https://wiki.openssl.org/index.php/Hostname_validation
*/
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define HIREDIS_CHECK_SSL_SERVER_NAME
#endif
/**
* OpenSSL global initialization and locking handling callbacks.
* Note that this is only required for OpenSSL < 1.1.0.
@ -437,9 +446,18 @@ int redisInitiateSSLWithContext(redisContext *c, redisSSLContext *redis_ssl_ctx)
if (redis_ssl_ctx->server_name) {
if (!SSL_set_tlsext_host_name(ssl, redis_ssl_ctx->server_name)) {
__redisSetError(c, REDIS_ERR_OTHER, "Failed to set server_name/SNI");
__redisSetError(c, REDIS_ERR_OTHER,
"Failed to set server name for SNI");
goto error;
}
#ifdef HIREDIS_CHECK_SSL_SERVER_NAME
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
if (!SSL_set1_host(ssl, redis_ssl_ctx->server_name)) {
__redisSetError(c, REDIS_ERR_OTHER,
"Failed to set server name for certificate validation");
goto error;
}
#endif
}
if (redisSSLConnect(c, ssl) != REDIS_OK) {