Skip to content

feat: support redis TLS#19666

Open
proost wants to merge 6 commits into
apache:masterfrom
proost:feat-redis-tls
Open

feat: support redis TLS#19666
proost wants to merge 6 commits into
apache:masterfrom
proost:feat-redis-tls

Conversation

@proost

@proost proost commented Jul 8, 2026

Copy link
Copy Markdown
Member

Fixes #17962.

Description

Supporting TLS for Redis and some refactoring simplify calling ctor.


This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@FrankChen021 FrankChen021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity Findings
P0 0
P1 0
P2 2
P3 0
Total 2

Reviewed 4 of 4 changed files.

Found 2 Redis TLS/cluster configuration issues.


This is an automated review by Codex GPT-5.5

// database applies to standalone only; Redis Cluster supports database 0 only, so this
// is a no-op in cluster mode (the default is 0).
.database(config.getDatabase())
.ssl(config.getEnableTls())

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P2] Verify Redis hostnames when TLS is enabled

Setting only .ssl(true) encrypts the socket but does not enable hostname verification. In Jedis 7.0.0 the default socket factory only verifies the host when a HostnameVerifier is supplied, or when endpoint-identification parameters are supplied through SSLParameters; this config sets neither. As added, druid.cache.enableTls=true can accept any certificate trusted by the JVM regardless of the Redis hostname, so a trusted-but-wrong certificate can impersonate the cache endpoint. Configure endpoint identification or expose an explicit verification/skip option.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, i missed that point.

2bf334a

Like dev env case, skipping is lots more easier i think. how about this?

@proost proost requested a review from FrankChen021 July 8, 2026 16:08

@FrankChen021 FrankChen021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rechecked the two Redis TLS follow-up threads. Current head addresses both: cluster mode no longer propagates the standalone database index, and TLS now defaults to hostname verification with an explicit CA-only hostname-skip option.

Reviewed 4 of 4 changed files.


This is an automated review by Codex GPT-5.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support SSL/TLS in druid-redis-cache

2 participants