diff --git a/src/cli_common.c b/src/cli_common.c
index c2db9fffc..e88327ace 100644
--- a/src/cli_common.c
+++ b/src/cli_common.c
@@ -54,7 +54,7 @@ int cliSecureConnection(redisContext *c, cliSSLconfig config, const char **err)
goto error;
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+ SSL_CTX_set_verify(ssl_ctx, config.skip_cert_verify ? SSL_VERIFY_NONE : SSL_VERIFY_PEER, NULL);
if (config.cacert || config.cacertdir) {
if (!SSL_CTX_load_verify_locations(ssl_ctx, config.cacert, config.cacertdir)) {
diff --git a/src/cli_common.h b/src/cli_common.h
index f3a91e9db..16d6ec2a9 100644
--- a/src/cli_common.h
+++ b/src/cli_common.h
@@ -10,6 +10,8 @@ typedef struct cliSSLconfig {
char *cacert;
/* Directory where trusted CA certificates are stored, or NULL */
char *cacertdir;
+ /* Skip server certificate verification. */
+ int skip_cert_verify;
/* Client certificate to authenticate with, or NULL */
char *cert;
/* Private key file to authenticate with, or NULL */
diff --git a/src/redis-benchmark.c b/src/redis-benchmark.c
index a955c0d4c..164f5e3ee 100644
--- a/src/redis-benchmark.c
+++ b/src/redis-benchmark.c
@@ -1516,6 +1516,8 @@ int parseOptions(int argc, const char **argv) {
} else if (!strcmp(argv[i],"--cacert")) {
if (lastarg) goto invalid;
config.sslconfig.cacert = strdup(argv[++i]);
+ } else if (!strcmp(argv[i],"--insecure")) {
+ config.sslconfig.skip_cert_verify = 1;
} else if (!strcmp(argv[i],"--cert")) {
if (lastarg) goto invalid;
config.sslconfig.cert = strdup(argv[++i]);
@@ -1585,6 +1587,7 @@ usage:
" --cacertdir <dir> Directory where trusted CA certificates are stored.\n"
" If neither cacert nor cacertdir are specified, the default\n"
" system-wide trusted root certs configuration will apply.\n"
+" --insecure Allow insecure TLS connection by skipping cert validation.\n"
" --cert <file> Client certificate to authenticate with.\n"
" --key <file> Private key file to authenticate with.\n"
" --tls-ciphers <list> Sets the list of prefered ciphers (TLSv1.2 and below)\n"
@@ -1682,6 +1685,7 @@ int main(int argc, const char **argv) {
signal(SIGHUP, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
+ memset(&config.sslconfig, 0, sizeof(config.sslconfig));
config.numclients = 50;
config.requests = 100000;
config.liveclients = 0;
diff --git a/src/redis-cli.c b/src/redis-cli.c
index ed3075317..ab30edc75 100644
--- a/src/redis-cli.c
+++ b/src/redis-cli.c
@@ -1695,6 +1695,8 @@ static int parseOptions(int argc, char **argv) {
config.sslconfig.key = argv[++i];
} else if (!strcmp(argv[i],"--tls-ciphers") && !lastarg) {
config.sslconfig.ciphers = argv[++i];
+ } else if (!strcmp(argv[i],"--insecure")) {
+ config.sslconfig.skip_cert_verify = 1;
#ifdef TLS1_3_VERSION
} else if (!strcmp(argv[i],"--tls-ciphersuites") && !lastarg) {
config.sslconfig.ciphersuites = argv[++i];
@@ -1820,6 +1822,7 @@ static void usage(void) {
" --cacertdir <dir> Directory where trusted CA certificates are stored.\n"
" If neither cacert nor cacertdir are specified, the default\n"
" system-wide trusted root certs configuration will apply.\n"
+" --insecure Allow insecure TLS connection by skipping cert validation.\n"
" --cert <file> Client certificate to authenticate with.\n"
" --key <file> Private key file to authenticate with.\n"
" --tls-ciphers <list> Sets the list of prefered ciphers (TLSv1.2 and below)\n"
@@ -8131,6 +8134,7 @@ int main(int argc, char **argv) {
int firstarg;
struct timeval tv;
+ memset(&config.sslconfig, 0, sizeof(config.sslconfig));
config.hostip = sdsnew("127.0.0.1");
config.hostport = 6379;
config.hostsocket = NULL;