diff --git a/redis/asyncio/client.py b/redis/asyncio/client.py index 2afad0f4d1..bbf2a676ed 100644 --- a/redis/asyncio/client.py +++ b/redis/asyncio/client.py @@ -163,6 +163,7 @@ def __init__( ssl_certfile: Optional[str] = None, ssl_cert_reqs: str = "required", ssl_ca_certs: Optional[str] = None, + ssl_ca_data: Optional[str] = None, ssl_check_hostname: bool = False, max_connections: Optional[int] = None, single_connection_client: bool = False, @@ -228,6 +229,7 @@ def __init__( "ssl_certfile": ssl_certfile, "ssl_cert_reqs": ssl_cert_reqs, "ssl_ca_certs": ssl_ca_certs, + "ssl_ca_data": ssl_ca_data, "ssl_check_hostname": ssl_check_hostname, } ) diff --git a/redis/asyncio/connection.py b/redis/asyncio/connection.py index ae54d8147a..830dfcd889 100644 --- a/redis/asyncio/connection.py +++ b/redis/asyncio/connection.py @@ -1026,6 +1026,7 @@ def __init__( ssl_certfile: Optional[str] = None, ssl_cert_reqs: str = "required", ssl_ca_certs: Optional[str] = None, + ssl_ca_data: Optional[str] = None, ssl_check_hostname: bool = False, **kwargs, ): @@ -1035,6 +1036,7 @@ def __init__( certfile=ssl_certfile, cert_reqs=ssl_cert_reqs, ca_certs=ssl_ca_certs, + ca_data=ssl_ca_data, check_hostname=ssl_check_hostname, ) @@ -1054,6 +1056,10 @@ def cert_reqs(self): def ca_certs(self): return self.ssl_context.ca_certs + @property + def ca_data(self): + return self.ssl_context.ca_data + @property def check_hostname(self): return self.ssl_context.check_hostname @@ -1065,6 +1071,7 @@ class RedisSSLContext: "certfile", "cert_reqs", "ca_certs", + "ca_data", "context", "check_hostname", ) @@ -1075,6 +1082,7 @@ def __init__( certfile: Optional[str] = None, cert_reqs: Optional[str] = None, ca_certs: Optional[str] = None, + ca_data: Optional[str] = None, check_hostname: bool = False, ): self.keyfile = keyfile @@ -1093,6 +1101,7 @@ def __init__( ) self.cert_reqs = CERT_REQS[cert_reqs] self.ca_certs = ca_certs + self.ca_data = ca_data self.check_hostname = check_hostname self.context: Optional[ssl.SSLContext] = None @@ -1103,8 +1112,8 @@ def get(self) -> ssl.SSLContext: context.verify_mode = self.cert_reqs if self.certfile and self.keyfile: context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile) - if self.ca_certs: - context.load_verify_locations(self.ca_certs) + if self.ca_certs or self.ca_data: + context.load_verify_locations(cafile=self.ca_certs, cadata=self.ca_data) self.context = context return self.context diff --git a/redis/client.py b/redis/client.py index b12ad578d6..4b81ac3638 100755 --- a/redis/client.py +++ b/redis/client.py @@ -883,6 +883,7 @@ def __init__( ssl_cert_reqs="required", ssl_ca_certs=None, ssl_ca_path=None, + ssl_ca_data=None, ssl_check_hostname=False, ssl_password=None, ssl_validate_ocsp=False, @@ -964,6 +965,7 @@ def __init__( "ssl_certfile": ssl_certfile, "ssl_cert_reqs": ssl_cert_reqs, "ssl_ca_certs": ssl_ca_certs, + "ssl_ca_data": ssl_ca_data, "ssl_check_hostname": ssl_check_hostname, "ssl_password": ssl_password, "ssl_ca_path": ssl_ca_path, diff --git a/redis/cluster.py b/redis/cluster.py index 8c2dfc271b..b116c3b496 100644 --- a/redis/cluster.py +++ b/redis/cluster.py @@ -116,6 +116,7 @@ def fix_server(*args): "socket_timeout", "ssl", "ssl_ca_certs", + "ssl_ca_data", "ssl_certfile", "ssl_cert_reqs", "ssl_keyfile", diff --git a/redis/connection.py b/redis/connection.py index 8a77e4bdee..0f97361e6e 100755 --- a/redis/connection.py +++ b/redis/connection.py @@ -923,6 +923,7 @@ def __init__( ssl_certfile=None, ssl_cert_reqs="required", ssl_ca_certs=None, + ssl_ca_data=None, ssl_check_hostname=False, ssl_ca_path=None, ssl_password=None, @@ -939,6 +940,7 @@ def __init__( ssl_certfile: Path to an ssl certificate. Defaults to None. ssl_cert_reqs: The string value for the SSLContext.verify_mode (none, optional, required). Defaults to "required". ssl_ca_certs: The path to a file of concatenated CA certificates in PEM format. Defaults to None. + ssl_ca_data: Either an ASCII string of one or more PEM-encoded certificates or a bytes-like object of DER-encoded certificates. ssl_check_hostname: If set, match the hostname during the SSL handshake. Defaults to False. ssl_ca_path: The path to a directory containing several CA certificates in PEM format. Defaults to None. ssl_password: Password for unlocking an encrypted private key. Defaults to None. @@ -973,6 +975,7 @@ def __init__( ssl_cert_reqs = CERT_REQS[ssl_cert_reqs] self.cert_reqs = ssl_cert_reqs self.ca_certs = ssl_ca_certs + self.ca_data = ssl_ca_data self.ca_path = ssl_ca_path self.check_hostname = ssl_check_hostname self.certificate_password = ssl_password @@ -993,8 +996,14 @@ def _connect(self): keyfile=self.keyfile, password=self.certificate_password, ) - if self.ca_certs is not None or self.ca_path is not None: - context.load_verify_locations(cafile=self.ca_certs, capath=self.ca_path) + if ( + self.ca_certs is not None + or self.ca_path is not None + or self.ca_data is not None + ): + context.load_verify_locations( + cafile=self.ca_certs, capath=self.ca_path, cadata=self.ca_data + ) sslsock = context.wrap_socket(sock, server_hostname=self.host) if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False: raise RedisError("cryptography is not installed.") diff --git a/tests/test_ssl.py b/tests/test_ssl.py index ab5d47f293..d029b80dcb 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -67,6 +67,22 @@ def test_validating_self_signed_certificate(self, request): ) assert r.ping() + def test_validating_self_signed_string_certificate(self, request): + f = open(self.SERVER_CERT) + cert_data = f.read() + ssl_url = request.config.option.redis_ssl_url + p = urlparse(ssl_url)[1].split(":") + r = redis.Redis( + host=p[0], + port=p[1], + ssl=True, + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, + ssl_cert_reqs="required", + ssl_ca_data=cert_data, + ) + assert r.ping() + def _create_oscp_conn(self, request): ssl_url = request.config.option.redis_ssl_url p = urlparse(ssl_url)[1].split(":")