Call AUTH before HELLO

[OrangeDog]

Feature Request

Redis appears to be poorly designed security-wise, and in most ACL configurations it is not possible to use HELLO to authenticate because you have to authenticate first in order to be allowed to call it.

By default, of if configured to use RESP3, Lettuce will try to do this. It will only work if the default user is configured with no password.

Is your feature request related to a problem? Please describe

In most secure configurations you will get #1379.

Describe the solution you'd like

Lettuce should always AUTH first if a (username and) password is provided, before doing any protocol negotiation.

Describe alternatives you've considered

Either always force RESP2, or configure user default on nopass +hello.

The former requires user code changes and is less efficient. The latter is not appropriate if you need the default user for something else.

Teachability, Documentation, Adoption, Migration Strategy

No change to visible API/config.

[OrangeDog]

Noting that I was testing with Lettuce 6.1.10 and Redis 6.0.20.

[mp911de]

HELLO is designed to accept username and password for authentication. If it is possible to disable HELLO via permissions of the default user, then this is a massive design flaw in Redis and needs to be fixed there. Have you already reached out to the Redis folks?

[OrangeDog]

I have found redis/redis#8558. It appears the fix was in Redis 6.2.2.

So Lettuce would work with most versions, but 6.0 is what's in Ubuntu 22.04 LTS, so there's a significant userbase on that.

[tishun]

I have found redis/redis#8558. It appears the fix was in Redis 6.2.2.

So Lettuce would work with most versions, but 6.0 is what's in Ubuntu 22.04 LTS, so there's a significant userbase on that.

Redis 6.0 is quite old - the start of 2021, so more than 3 years old. 6.2.2 is also not a major release, so upgrading to it should not introduce any breaking changes itself.

Could you help me understand why - for a production environment - a user would choose to stick with the default Redis package that is built in? Ubuntu 22.04 LTS has a maintenance support window until 2027 and an expanded maintenance window until 2032 - would that mean that users would use Redis 6.0 in 2032?

(FWIW - there is a conversation on the topic of how Ubuntu handles package updates in Reddit)

[OrangeDog]

why - for a production environment - a user would choose to stick with the default Redis package

You answered it yourself:

Ubuntu 22.04 LTS has a maintenance support window until 2027 and an expanded maintenance window until 2032

---

would that mean that users would use Redis 6.0 in 2032?

100% yes, unless Canonical decide to change their policy during that support window. That would cause some serious backlash, as the point of LTS is that things do not change. The expanded support is for paying customers, who are paying for it not to change for a reason.

[tishun]

Lettuce should always AUTH first if a (username and) password is provided, before doing any protocol negotiation.
I understand how this is a problem for the community, but I also feel very uneasy with this suggestion. The driver is really not doing anything wrong and we want to change the handshake mechanism to avoid hitting an issue in the server.

Another issue for me is that this sets a dangerous precedent - any server side bug would have to be fixed in the driver for the duration of a Ubuntu maintenance window. And we would also have to keep track to remove these workarounds when the Ubuntu release is no longer maintained.

As a side effect we would also degrade the handshake performance by executing two commands instead of one.

At this point I am very much inclined to close this as wont fix, but I think we can convert it to a discussion and see if the community overwhelmingly thinks that such a change is required.