fix(rate-limiter): enable rustls tls12 so TLS 1.2 Redis connects#110
Open
gandhipratik203 wants to merge 1 commit into
Open
fix(rate-limiter): enable rustls tls12 so TLS 1.2 Redis connects#110gandhipratik203 wants to merge 1 commit into
gandhipratik203 wants to merge 1 commit into
Conversation
gandhipratik203
requested review from
lucarlig and
msureshkumar88
as code owners
gandhipratik203
force-pushed
the
fix/redis-tls12-feature
branch
2 times, most recently
from
f1fed1f to
b34dbe0
Compare
gandhipratik203
changed the title
rustls was pinned with default-features = false and only ["ring", "std"], which compiles it without TLS 1.2 (1.3-only); the redis crate's tls-rustls feature does not enable tls12 either. Managed Redis that offers only TLS 1.2 (e.g. AWS ElastiCache) then shares no protocol version with the client, so the handshake fails and the plugin returns BACKEND_UNAVAILABLE even though a redis-py (OpenSSL) client connects to the same endpoint. Add the rustls "tls12" feature so TLS 1.2 works while keeping 1.3. Bump the package to 0.1.4 and add a regression test that fails to build if the feature is dropped. Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>
gandhipratik203
force-pushed
the
fix/redis-tls12-feature
branch
from
b34dbe0 to
79aaeb6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cpex-rate-limiter's rustls dependency was pinned with
default-features = falseand only["ring", "std"], so rustls compiled without TLS 1.2 (1.3-only); the redis crate'stls-rustls feature does not enable it either. Redis that offers only TLS 1.2 (e.g. AWS
ElastiCache) then shares no protocol version with the client, so the handshake fails and
the plugin returns BACKEND_UNAVAILABLE, even though redis-py (OpenSSL) connects to the
same endpoint.
Fix
Add the
tls12feature to rustls so TLS 1.2 works while keeping 1.3. One-line change thatkeeps rustls and the existing TLS config handling, with no OpenSSL. Bumps to 0.1.4 and
adds a regression test that fails to build if the feature is dropped.
Validated against a live AWS ElastiCache and through a rebuilt gateway image: the stock
build returns BACKEND_UNAVAILABLE, this build connects.