fix(common/redis): stop unconditionally skipping TLS certificate verification#4261
Open
fix(common/redis): stop unconditionally skipping TLS certificate verification#4261
Conversation
…fication Previously, `enableTLS` was passed directly to `InsecureSkipVerify`, meaning enabling TLS always disabled certificate verification, a security vulnerability. This adds a separate `insecureSkipTLSVerify` metadata field (defaulting to false) so that TLS connections now perform proper certificate verification by default. Signed-off-by: joshvanl <me@joshvanl.dev>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a security vulnerability in the Dapr Redis component where enabling TLS (enableTLS: true) was unconditionally passing true to tls.Config.InsecureSkipVerify, disabling certificate verification entirely. The fix adds a separate insecureSkipTLSVerify metadata field (defaulting to false) so that TLS connections now use proper certificate verification by default.
Changes:
- Adds
InsecureSkipTLSVerify boolfield to the sharedSettingsstruct and wires it totls.Config.InsecureSkipVerifyin all six TLS configuration sites across both the v8 and v9 Redis clients - Adds
insecureSkipTLSVerifymetadata field (withdefault: "false") to all five Redis component metadata YAML files (state,pubsub,bindings,configuration,lock)
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
common/component/redis/settings.go |
Adds InsecureSkipTLSVerify field to Settings struct with corrected EnableTLS comment |
common/component/redis/v8client.go |
Replaces s.EnableTLS with s.InsecureSkipTLSVerify in all three TLS config sites |
common/component/redis/v9client.go |
Replaces s.EnableTLS with s.InsecureSkipTLSVerify in all three TLS config sites |
state/redis/metadata.yaml |
Adds insecureSkipTLSVerify metadata field |
pubsub/redis/metadata.yaml |
Adds insecureSkipTLSVerify metadata field |
bindings/redis/metadata.yaml |
Adds insecureSkipTLSVerify metadata field |
configuration/redis/metadata.yaml |
Adds insecureSkipTLSVerify metadata field; fixes trailing whitespace in enableTLS description |
lock/redis/metadata.yaml |
Adds insecureSkipTLSVerify metadata field |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
JoshVanL
added a commit
to JoshVanL/dapr-docs
that referenced
this pull request
Mar 9, 2026
Based on dapr/components-contrib#4261 Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
acroca
approved these changes
Mar 10, 2026
cicoyle
approved these changes
Mar 10, 2026
Contributor
cicoyle
left a comment
cicoyle
left a comment
There was a problem hiding this comment.
lgtm, did you open a docs PR for the metadata change?
Contributor
Author
|
@cicoyle yep! dapr/docs#5065 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously,
enableTLSwas passed directly toInsecureSkipVerify, meaning enabling TLS always disabled certificate verification, a security vulnerability. This adds a separateinsecureSkipTLSVerifymetadata field (defaulting to false) so that TLS connections now perform proper certificate verification by default.