async connection via sentinel using TLS and self-signed certificate

[ajgon]

Version: redis-py=4.3.4, redis=7.0.5

Platform: Python 3.9.14 / Linux

Description:
I'm trying to connect to redis via sentinel, using TLS and self signed certificate - using async connection. Here are the results of my tests:

Having connection built like these:

aioredis.sentinel.SentinelConnectionPool(
    master_name,
    aioredis.sentinel.Sentinel(sentinels, sentinel_kwargs=sentinel_kwargs, **connection_kwargs),
    **host_kwargs
)

I'm getting following results basing on given arguments (I'm skipping sentinel_kwargs and master_name, as sentinel itself works correctly)

Without host kwargs, and connection kwargs configured - ssl to redis master doesn't work.

connection_kwargs = {'password': 'mypass', 'ssl': True, 'ssl_cert_reqs': 'none'}
host_kwargs = {}
# redis.exceptions.ConnectionError: Error while reading from master-node-resolved-from-sentinel:6379 : (104, 'Connection reset by peer')
# 104 - means no SSL connection at all

With ssl configured in host kwargs - password is not used (checked redis-side, no AUTH is sent at all:

connection_kwargs = {'password': 'mypass', 'ssl': True, 'ssl_cert_reqs': 'none'}
host_kwargs = {'ssl': True, 'ssl_cert_reqs': 'none'}
# redis.exceptions.AuthenticationError: Authentication required.

When I try add password to host kwargs, it gets more bizzare, as now despite sentinels were asked for masters, redis py connects to localhost 🤔

connection_kwargs = {'password': 'mypass', 'ssl': True, 'ssl_cert_reqs': 'none'}
host_kwargs = {'ssl': True, 'ssl_cert_reqs': 'none', 'password': 'mypass'}
# OSError: Multiple exceptions: [Errno 111] Connect call failed ('::1', 6379, 0, 0), [Errno 111] Connect call failed ('127.0.0.1', 6379)

And last but not least - I can skip connection_kwargs completely, and all three behaviors repeat:

connection_kwargs = {}
host_kwargs = {}

# redis.exceptions.ConnectionError: Error while reading from master-node-resolved-from-sentinel:6379 : (104, 'Connection reset by peer')
# 104 - means no SSL connection at all

host_kwargs = {'ssl': True, 'ssl_cert_reqs': 'none'}
# redis.exceptions.AuthenticationError: Authentication required.

host_kwargs = {'ssl': True, 'ssl_cert_reqs': 'none', 'password': 'mypass'}
# OSError: Multiple exceptions: [Errno 111] Connect call failed ('::1', 6379, 0, 0), [Errno 111] Connect call failed ('127.0.0.1', 6379)

I'm not sure if I'm missing something here, or is there a bug? What is expected way to handle that situation? Is it possible?

[cancan101]

I am seeing similar errors on non Sentinel with self-signed:

ConnectionResetError: null
  File "redis/asyncio/connection.py", line 603, in connect
    await self.retry.call_with_retry(
  File "redis/asyncio/retry.py", line 59, in call_with_retry
    return await do()
  File "redis/asyncio/connection.py", line 640, in _connect
    reader, writer = await asyncio.open_connection(
  File "asyncio/streams.py", line 48, in open_connection
    transport, _ = await loop.create_connection(
  File "uvloop/loop.pyx", line 2084, in create_connection
  File "uvloop/loop.pyx", line 2079, in uvloop.loop.Loop.create_connection
  File "uvloop/sslproto.pyx", line 517, in uvloop.loop.SSLProtocol._on_handshake_complete

ConnectionError: Error connecting to XXXX. Connection reset by peer
  File "aiocache/decorators.py", line 148, in get_from_cache
    return await self.cache.get(key)
  File "aiocache/base.py", line 64, in _enabled
    return await func(*args, **kwargs)
  File "aiocache/base.py", line 47, in _timeout
    return await func(self, *args, **kwargs)
  File "aiocache/base.py", line 78, in _plugins
    ret = await func(self, *args, **kwargs)
  File "aiocache/base.py", line 199, in get
    value = loads(await self._get(ns_key, encoding=self.serializer.encoding, _conn=_conn))
  File "aiocache/backends/redis.py", line 74, in _get
    value = await self.client.get(key)
  File "redis/asyncio/client.py", line 509, in execute_command
    conn = self.connection or await pool.get_connection(command_name, **options)
  File "redis/asyncio/connection.py", line 1607, in get_connection
    await connection.connect()
  File "redis/asyncio/connection.py", line 611, in connect
    raise ConnectionError(self._error_message(e))

I am creating the client:

        connection_pool = redis.BlockingConnectionPool(
            host=self.endpoint,
            port=self.port,
            db=self.db,
            password=self.password,
            decode_responses=False,
            socket_connect_timeout=self.create_connection_timeout,
            max_connections=self.pool_max_size,
            ssl_cert_reqs=None,
            connection_class=redis.SSLConnection,
        )
        client = redis.Redis(connection_pool=connection_pool)

[github-actions]

This issue is marked stale. It will be closed in 30 days if it is not updated.