`RedisURI.applySsl(…)` does not retain `SslVerifyMode`

[jacob-pro]

Current Behavior

When using RedisClusterClient the SslVerifyMode.CA mode is not respected.

When attaching a debugger I can see the initial call to the cluster succeeds, but the RedisURI is then updated with the incorrect mode, and subsequent calls fail.

Stack trace

2023-02-14_18:10:14.37717 Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
2023-02-14_18:10:14.37726       at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
2023-02-14_18:10:14.37736       at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
2023-02-14_18:10:14.37745       at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
2023-02-14_18:10:14.37755       at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429)
2023-02-14_18:10:14.37765       at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
2023-02-14_18:10:14.37778       at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
2023-02-14_18:10:14.37782       at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:234)
2023-02-14_18:10:14.37786       at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:748)
2023-02-14_18:10:14.37792       at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
2023-02-14_18:10:14.37795       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:645)
2023-02-14_18:10:14.37798       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1255)
2023-02-14_18:10:14.37801       at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
2023-02-14_18:10:14.37804       at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:217)
2023-02-14_18:10:14.37913       at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)

Input Code

Input Code

val uri = RedisURI.builder()
    .withSsl(true)
    .withHost("localhost")
    .withPort(6379)
    .withVerifyPeer(SslVerifyMode.CA)
    .build();

try (var clusterClient = RedisClusterClient.create(uri)) {
    try (var connection = clusterClient.connect()) {
        ...
    }
}

Environment

• Lettuce version(s): 6.2.2.RELEASE
• Redis version: 7.0.8

Possible Solution

I'm fairly certain the bug is coming from here:

https://github.com/lettuce-io/lettuce-core/blob/dcd7085f18e453cc2624b673f8da1c9fb56c9fe0/src/main/java/io/lettuce/core/RedisURI.java#L623-L630

The SslVerifyMode is not being fully propagated to the new RedisURIs.

I have opened a PR for this: #2329

Additional context

I think what has happened was when this commit added the SslVerifyMode.CA the code, the applySsl() function wasn't updated.

Relates to: #1460

[mp911de]

Thanks for the report and your bug fix. This is an oversight on our end and we need to fix it.

[mp911de]

That's fixed now.

[jacob-pro]

Thank you for the fast response and review! Any idea when this will be released?

[mp911de]

I'm a bit torn because I have little bandwidth these days. On the other side, Spring Data Redis could pick Lettuce up by Friday.