Fix non-local tls cert validation

yandex · Apr 5, 2024 · 98a4fcb · 98a4fcb
1 parent f6872df
commit 98a4fcb
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/internal/redis/node.go b/internal/redis/node.go
@@ -65,7 +65,7 @@ func NewNode(config *config.Config, logger *slog.Logger, fqdn string) (*Node, er
 		Protocol:        2,
 	}
 	if config.Redis.UseTLS {
-		tlsConf, err := getTLSConfig(config, config.Redis.TLSCAPath)
+		tlsConf, err := getTLSConfig(config, config.Redis.TLSCAPath, host)
 		if err != nil {
 			return nil, err
 		}

diff --git a/internal/redis/senticache.go b/internal/redis/senticache.go
@@ -78,7 +78,7 @@ func NewSentiCacheNode(config *config.Config, logger *slog.Logger) (*SentiCacheN
 		Protocol:        2,
 	}
 	if config.SentinelMode.UseTLS {
-		tlsConf, err := getTLSConfig(config, config.SentinelMode.TLSCAPath)
+		tlsConf, err := getTLSConfig(config, config.SentinelMode.TLSCAPath, localhost)
 		if err != nil {
 			return nil, err
 		}

diff --git a/internal/redis/tls.go b/internal/redis/tls.go
@@ -9,9 +9,11 @@ import (
 	"github.com/yandex/rdsync/internal/config"
 )
 
-func getTLSConfig(config *config.Config, CAPath string) (*tls.Config, error) {
+func getTLSConfig(config *config.Config, CAPath, host string) (*tls.Config, error) {
 	c := &tls.Config{}
-	c.ServerName = config.Hostname
+	if host == localhost {
+		c.ServerName = config.Hostname
+	}
 	if CAPath != "" {
 		cert, err := os.ReadFile(CAPath)
 		if err != nil {