Redis Client - Enable TLS/SSL Only with rediss:// Scheme

Previously, if `quarkus.tls.trust-all` was set, the Redis client would automatically use TLS. This commit ensures that TLS is only enabled when the host scheme is rediss://, aligning the behavior with expected usage patterns. Fix #41548 (cherry picked from commit 0fdf12c)
quarkusio · Jul 1, 2024 · 444d8b0 · 444d8b0
1 parent 2c0b79b
commit 444d8b0
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/...client/runtime/src/main/java/io/quarkus/redis/runtime/client/VertxRedisClientFactory.java b/...client/runtime/src/main/java/io/quarkus/redis/runtime/client/VertxRedisClientFactory.java
@@ -94,7 +94,7 @@ public static Redis create(String name, Vertx vertx, RedisClientConfig config, T
         config.replicas().ifPresent(options::setUseReplicas);
 
         options.setNetClientOptions(toNetClientOptions(config));
-        configureTLS(name, config, tlsRegistry, options.getNetClientOptions());
+        configureTLS(name, config, tlsRegistry, options.getNetClientOptions(), hosts);
 
         options.setPoolName(name);
         // Use the convention defined by Quarkus Micrometer Vert.x metrics to create metrics prefixed with redis.
@@ -180,10 +180,18 @@ public static RedisHostsProvider findProvider(String name) {
     }
 
     private static void configureTLS(String name, RedisClientConfig config, TlsConfigurationRegistry tlsRegistry,
-            NetClientOptions net) {
+            NetClientOptions net, List<URI> hosts) {
         TlsConfiguration configuration = null;
         boolean defaultTrustAll = false;
 
+        boolean tlsFromHosts = false;
+        for (URI uri : hosts) {
+            if ("rediss".equals(uri.getScheme())) {
+                tlsFromHosts = true;
+                break;
+            }
+        }
+
         // Check if we have a named TLS configuration or a default configuration:
         if (config.tlsConfigurationName().isPresent()) {
             Optional<TlsConfiguration> maybeConfiguration = tlsRegistry.get(config.tlsConfigurationName().get());
@@ -200,10 +208,15 @@ private static void configureTLS(String name, RedisClientConfig config, TlsConfi
             }
         }
 
+        if (configuration != null && !tlsFromHosts) {
+            LOGGER.warnf("The Redis client %s is configured with a named TLS configuration but the hosts are not " +
+                    "using the `rediss://` scheme - Disabling TLS", name);
+        }
+
         // Apply the configuration
         if (configuration != null) {
             // This part is often the same (or close) for every Vert.x client:
-            net.setSsl(true);
+            net.setSsl(tlsFromHosts);
 
             if (configuration.getTrustStoreOptions() != null) {
                 net.setTrustOptions(configuration.getTrustStoreOptions());
@@ -244,7 +257,7 @@ private static void configureTLS(String name, RedisClientConfig config, TlsConfi
             } else {
                 net.setHostnameVerificationAlgorithm(verificationAlgorithm);
             }
-            net.setSsl(config.tls().enabled() || defaultTrustAll);
+            net.setSsl(config.tls().enabled() || tlsFromHosts);
             net.setTrustAll(config.tls().trustAll() || defaultTrustAll);
 
             configurePemTrustOptions(net, config.tls().trustCertificatePem());