Skip to content

Commit

Permalink
Close SSL sockets when connections/validations fail (#3318)
Browse files Browse the repository at this point in the history
Handle more cases of failure when initializing SSL sockets, and make
sure no socket is left unclosed in case of errors.

Fixes #3317
  • Loading branch information
kurtmckee authored and vladvildanov committed Sep 27, 2024
1 parent 676b791 commit d5868cc
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
* Add `sum` to DUPLICATE_POLICY documentation of `TS.CREATE`, `TS.ADD` and `TS.ALTER`
* Prevent async ClusterPipeline instances from becoming "false-y" in case of empty command stack (#3061)
* Close Unix sockets if the connection attempt fails. This prevents `ResourceWarning`s. (#3314)
* Close SSL sockets if the connection attempt fails, or if validations fail. (#3317)

* 4.1.3 (Feb 8, 2022)
* Fix flushdb and flushall (#1926)
Expand Down
5 changes: 3 additions & 2 deletions redis/connection.py
Original file line number Diff line number Diff line change
Expand Up @@ -819,7 +819,7 @@ def _connect(self):
sock = super()._connect()
try:
return self._wrap_socket_with_ssl(sock)
except OSError:
except (OSError, RedisError):
sock.close()
raise

Expand Down Expand Up @@ -854,7 +854,6 @@ def _wrap_socket_with_ssl(self, sock):
context.minimum_version = self.ssl_min_version
if self.ssl_ciphers:
context.set_ciphers(self.ssl_ciphers)
sslsock = context.wrap_socket(sock, server_hostname=self.host)
if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False:
raise RedisError("cryptography is not installed.")

Expand All @@ -864,6 +863,8 @@ def _wrap_socket_with_ssl(self, sock):
"- not both."
)

sslsock = context.wrap_socket(sock, server_hostname=self.host)

# validation for the stapled case
if self.ssl_validate_ocsp_stapled:
import OpenSSL
Expand Down

0 comments on commit d5868cc

Please sign in to comment.