redis-py ssl support susceptible to MITM attacks by default

**Issue:** redis-py doesn't enforce hostname validation (Common Name nor Subject Alternative Name) by default when accepting a cert from a remote SSL terminator. This default behavior isn't compatible to accepted PEPs/RFCs and provides a dangerous sense of false security.

**Task:** Correct redis-py to validate certificates by default. IMHO this shouldn't be considered a breaking change as it simply reenforces the expected results when initiating a SSL connection.

**Additional research:**
- https://tools.ietf.org/html/rfc6125
- https://www.python.org/dev/peps/pep-0476/
- https://wiki.openssl.org/index.php/Hostname_validation


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

redis-py ssl support susceptible to MITM attacks by default #1016

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

redis-py ssl support susceptible to MITM attacks by default #1016

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions