From be83bb13a8eaad68b7580b95c696f2554cf7100e Mon Sep 17 00:00:00 2001 From: Yossi Gottlieb Date: Sun, 7 Feb 2021 12:36:56 +0200 Subject: [PATCH] Add --insecure option to command line tools. (#8416) Disable certificate validation, making it possible to connect to servers without configuring full trust chain. The use of this option is insecure and makes the connection vulnerable to man in the middle attacks. --- src/cli_common.c | 2 +- src/cli_common.h | 2 ++ src/redis-benchmark.c | 4 ++++ src/redis-cli.c | 4 ++++ 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/cli_common.c b/src/cli_common.c index c2db9fffc..e88327ace 100644 --- a/src/cli_common.c +++ b/src/cli_common.c @@ -54,7 +54,7 @@ int cliSecureConnection(redisContext *c, cliSSLconfig config, const char **err) goto error; } SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_verify(ssl_ctx, config.skip_cert_verify ? SSL_VERIFY_NONE : SSL_VERIFY_PEER, NULL); if (config.cacert || config.cacertdir) { if (!SSL_CTX_load_verify_locations(ssl_ctx, config.cacert, config.cacertdir)) { diff --git a/src/cli_common.h b/src/cli_common.h index f3a91e9db..16d6ec2a9 100644 --- a/src/cli_common.h +++ b/src/cli_common.h @@ -10,6 +10,8 @@ typedef struct cliSSLconfig { char *cacert; /* Directory where trusted CA certificates are stored, or NULL */ char *cacertdir; + /* Skip server certificate verification. */ + int skip_cert_verify; /* Client certificate to authenticate with, or NULL */ char *cert; /* Private key file to authenticate with, or NULL */ diff --git a/src/redis-benchmark.c b/src/redis-benchmark.c index a955c0d4c..164f5e3ee 100644 --- a/src/redis-benchmark.c +++ b/src/redis-benchmark.c @@ -1516,6 +1516,8 @@ int parseOptions(int argc, const char **argv) { } else if (!strcmp(argv[i],"--cacert")) { if (lastarg) goto invalid; config.sslconfig.cacert = strdup(argv[++i]); + } else if (!strcmp(argv[i],"--insecure")) { + config.sslconfig.skip_cert_verify = 1; } else if (!strcmp(argv[i],"--cert")) { if (lastarg) goto invalid; config.sslconfig.cert = strdup(argv[++i]); @@ -1585,6 +1587,7 @@ usage: " --cacertdir Directory where trusted CA certificates are stored.\n" " If neither cacert nor cacertdir are specified, the default\n" " system-wide trusted root certs configuration will apply.\n" +" --insecure Allow insecure TLS connection by skipping cert validation.\n" " --cert Client certificate to authenticate with.\n" " --key Private key file to authenticate with.\n" " --tls-ciphers Sets the list of prefered ciphers (TLSv1.2 and below)\n" @@ -1682,6 +1685,7 @@ int main(int argc, const char **argv) { signal(SIGHUP, SIG_IGN); signal(SIGPIPE, SIG_IGN); + memset(&config.sslconfig, 0, sizeof(config.sslconfig)); config.numclients = 50; config.requests = 100000; config.liveclients = 0; diff --git a/src/redis-cli.c b/src/redis-cli.c index ed3075317..ab30edc75 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1695,6 +1695,8 @@ static int parseOptions(int argc, char **argv) { config.sslconfig.key = argv[++i]; } else if (!strcmp(argv[i],"--tls-ciphers") && !lastarg) { config.sslconfig.ciphers = argv[++i]; + } else if (!strcmp(argv[i],"--insecure")) { + config.sslconfig.skip_cert_verify = 1; #ifdef TLS1_3_VERSION } else if (!strcmp(argv[i],"--tls-ciphersuites") && !lastarg) { config.sslconfig.ciphersuites = argv[++i]; @@ -1820,6 +1822,7 @@ static void usage(void) { " --cacertdir Directory where trusted CA certificates are stored.\n" " If neither cacert nor cacertdir are specified, the default\n" " system-wide trusted root certs configuration will apply.\n" +" --insecure Allow insecure TLS connection by skipping cert validation.\n" " --cert Client certificate to authenticate with.\n" " --key Private key file to authenticate with.\n" " --tls-ciphers Sets the list of prefered ciphers (TLSv1.2 and below)\n" @@ -8131,6 +8134,7 @@ int main(int argc, char **argv) { int firstarg; struct timeval tv; + memset(&config.sslconfig, 0, sizeof(config.sslconfig)); config.hostip = sdsnew("127.0.0.1"); config.hostport = 6379; config.hostsocket = NULL;