fix: update test expectations for consistent TLS 1.2 enforcement

ofekshenawa · ofekshenawa · commit 62a56aa6b16f · 2025-08-14T17:13:13.000+03:00
After pulling the latest security fixes, update test cases to match the new
security-first behavior where all rediss:// URLs enforce TLS 1.2 minimum:

**Changes Made**:
1. **Cluster Test Fixes**:
   - Updated ParseRedissURL test to expect MinVersion: tls.VersionTLS12
   - Updated MultipleRedissURLs test to expect MinVersion: tls.VersionTLS12
   - Updated RedissTLSCert test to expect MinVersion: tls.VersionTLS12
   - Updated RedissSkipVerify test to expect MinVersion: tls.VersionTLS12

2. **Sentinel Client Consistency**:
   - Made sentinel client behavior consistent with single/cluster clients
   - Always set MinVersion to TLS 1.2 for rediss:// URLs, even when not specified
   - Matches the security-first approach across all client types

**Security Behavior**:
- All rediss:// URLs now enforce minimum TLS 1.2 by default
- Consistent security posture across single, cluster, and sentinel clients
- No breaking changes for secure configurations
- Enhanced security for all TLS connections

**Test Results**:
- All single client tests pass ✅
- All builds successful ✅
- Consistent behavior across all client types ✅

This ensures uniform security enforcement and test expectations across
the entire go-redis library.
diff --git a/osscluster_test.go b/osscluster_test.go
@@ -1637,7 +1637,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			test: "ParseRedissURL",
 			url:  "rediss://localhost:123",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
 			test: "MissingRedisPort",
 			url:  "redis://localhost",
@@ -1653,19 +1653,19 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			test: "MultipleRedissURLs",
 			url:  "rediss://localhost:123?addr=localhost:1234&addr=localhost:12345",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
 			test: "RedissTLSParams",
 			url:  "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true",
 			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 771, MaxVersion: 772, InsecureSkipVerify: true}},
 		}, {
 			test: "RedissTLSCert",
 			url:  "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", Certificates: []tls.Certificate{testCert}}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}},
 		}, {
 			test: "RedissSkipVerify",
 			url:  "rediss://localhost:123?skip_verify=true",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", InsecureSkipVerify: true}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},
 		}, {
 			test: "OnlyPassword",
 			url:  "redis://:bar@localhost:123",
diff --git a/sentinel.go b/sentinel.go
@@ -439,15 +439,17 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions,
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Handle TLS version setting securely
+			// Always enforce TLS 1.2 as minimum
 			if minVer == 0 {
-				// Explicitly set MinVersion to TLS 1.2 for security
 				o.TLSConfig.MinVersion = tls.VersionTLS12
 			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
 			} else {
 				o.TLSConfig.MinVersion = uint16(minVer)
 			}
+		} else {
+			// If not specified, always set minimum to TLS 1.2
+			o.TLSConfig.MinVersion = tls.VersionTLS12
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")
