Fix SSL hostname verification bug and update env var names

This commit addresses two issues:

1. **SSL Hostname Verification Bug**: Fixed the error "Cannot set verify_mode
   to CERT_NONE when check_hostname is enabled" by adding support for the
   `ssl_check_hostname` parameter. When `REDIS_SSL_CERT_REQS=none` is set,
   hostname checking is now automatically disabled by default, matching the
   behavior of redis-cli's --insecure flag. This is essential for scenarios
   like AWS SSM port forwarding where the connection goes to localhost but
   the certificate is issued for the actual hostname.

2. **Environment Variable Naming**: Fixed inconsistencies in documentation
   (.env.example, README.md, smithery.yaml) where SSL-related environment
   variables were missing the "SSL_" prefix. Updated:
   - REDIS_CA_PATH → REDIS_SSL_CA_PATH
   - REDIS_CERT_REQS → REDIS_SSL_CERT_REQS
   - REDIS_CA_CERTS → REDIS_SSL_CA_CERTS

Changes:
- Added REDIS_SSL_CHECK_HOSTNAME configuration option
- Automatically sets check_hostname=False when cert_reqs="none"
- Added ssl_check_hostname support in parse_redis_uri()
- Passed ssl_check_hostname to both Redis and RedisCluster connections
- Added comprehensive tests for the new functionality
- Updated documentation to reflect correct variable names

Author: taylorleese

.env.example

@@ -4,9 +4,10 @@ REDIS_DB=0
 REDIS_USERNAME=default
 REDIS_PWD=your_password
 REDIS_SSL=False
-REDIS_CA_PATH=/path/to/ca.pem
+REDIS_SSL_CA_PATH=/path/to/ca.pem
 REDIS_SSL_KEYFILE=/path/to/key.pem
 REDIS_SSL_CERTFILE=/path/to/cert.pem
-REDIS_CERT_REQS=required
-REDIS_CA_CERTS=/path/to/ca_certs.pem
+REDIS_SSL_CERT_REQS=required
+REDIS_SSL_CA_CERTS=/path/to/ca_certs.pem
+REDIS_SSL_CHECK_HOSTNAME=true
 REDIS_CLUSTER_MODE=False

README.md

@@ -195,7 +195,7 @@ The following example is for Claude Desktop, but the same applies to any other M
                 "REDIS_PORT": "<your_redis_database_port>",
                 "REDIS_PWD": "<your_redis_database_password>",
                 "REDIS_SSL": True|False,
-                "REDIS_CA_PATH": "<your_redis_ca_path>",
+                "REDIS_SSL_CA_PATH": "<your_redis_ca_path>",
                 "REDIS_CLUSTER_MODE": True|False
             }
         }
@@ -300,20 +300,21 @@ uvx --from redis-mcp-server@latest redis-mcp-server --help
 
 If desired, you can use environment variables. Defaults are provided for all variables.
 
-| Name                 | Description                                               | Default Value |
-|----------------------|-----------------------------------------------------------|---------------|
-| `REDIS_HOST`         | Redis IP or hostname                                      | `"127.0.0.1"` |
-| `REDIS_PORT`         | Redis port                                                | `6379`        |
-| `REDIS_DB`           | Database                                                  | 0             |
-| `REDIS_USERNAME`     | Default database username                                 | `"default"`   |
-| `REDIS_PWD`          | Default database password                                 | ""            |
-| `REDIS_SSL`          | Enables or disables SSL/TLS                               | `False`       |
-| `REDIS_CA_PATH`      | CA certificate for verifying server                       | None          |
-| `REDIS_SSL_KEYFILE`  | Client's private key file for client authentication       | None          |
-| `REDIS_SSL_CERTFILE` | Client's certificate file for client authentication       | None          |
-| `REDIS_CERT_REQS`    | Whether the client should verify the server's certificate | `"required"`  |
-| `REDIS_CA_CERTS`     | Path to the trusted CA certificates file                  | None          |
-| `REDIS_CLUSTER_MODE` | Enable Redis Cluster mode                                 | `False`       |
+| Name                       | Description                                                        | Default Value |
+|----------------------------|------------------------------------------------------------------- |---------------|
+| `REDIS_HOST`               | Redis IP or hostname                                               | `"127.0.0.1"` |
+| `REDIS_PORT`               | Redis port                                                         | `6379`        |
+| `REDIS_DB`                 | Database                                                           | 0             |
+| `REDIS_USERNAME`           | Default database username                                          | `"default"`   |
+| `REDIS_PWD`                | Default database password                                          | ""            |
+| `REDIS_SSL`                | Enables or disables SSL/TLS                                        | `False`       |
+| `REDIS_SSL_CA_PATH`        | CA certificate path for verifying server                           | None          |
+| `REDIS_SSL_KEYFILE`        | Client's private key file for client authentication                | None          |
+| `REDIS_SSL_CERTFILE`       | Client's certificate file for client authentication                | None          |
+| `REDIS_SSL_CERT_REQS`      | Certificate requirements (none, optional, or required)             | `"required"`  |
+| `REDIS_SSL_CA_CERTS`       | Path to the trusted CA certificates file                           | None          |
+| `REDIS_SSL_CHECK_HOSTNAME` | Verify SSL certificate hostname (auto-disabled when cert_reqs=none)| `True`        |
+| `REDIS_CLUSTER_MODE`       | Enable Redis Cluster mode                                          | `False`       |
 
 
 There are several ways to set environment variables:

smithery.yaml

@@ -27,7 +27,7 @@ startCommand:
         type: boolean
         default: false
         description: Enable SSL for Redis connection
-      redisCAPath:
+      redisSSLCAPath:
         type: string
         default: ""
         description: CA certificate path for verifying server
@@ -39,14 +39,18 @@ startCommand:
         type: string
         default: ""
         description: Client certificate file for authentication
-      redisCertReqs:
+      redisSSLCertReqs:
         type: string
         default: required
-        description: Certificate requirements
-      redisCACerts:
+        description: Certificate requirements (none, optional, or required)
+      redisSSLCACerts:
         type: string
         default: ""
         description: Path to trusted CA certificates file
+      redisSSLCheckHostname:
+        type: boolean
+        default: true
+        description: Verify SSL certificate hostname (auto-disabled when cert_reqs=none)
   commandFunction:
     # A JS function that produces the CLI command based on the given config to start the MCP on stdio.
     |-
@@ -59,11 +63,12 @@ startCommand:
         REDIS_USERNAME: config.redisUsername,
         REDIS_PWD: config.redisPwd,
         REDIS_SSL: String(config.redisSSL),
-        REDIS_CA_PATH: config.redisCAPath,
+        REDIS_SSL_CA_PATH: config.redisSSLCAPath,
         REDIS_SSL_KEYFILE: config.redisSSLKeyfile,
         REDIS_SSL_CERTFILE: config.redisSSLCertfile,
-        REDIS_CERT_REQS: config.redisCertReqs,
-        REDIS_CA_CERTS: config.redisCACerts
+        REDIS_SSL_CERT_REQS: config.redisSSLCertReqs,
+        REDIS_SSL_CA_CERTS: config.redisSSLCACerts,
+        REDIS_SSL_CHECK_HOSTNAME: String(config.redisSSLCheckHostname)
       }
     })
   exampleConfig:
@@ -72,8 +77,9 @@ startCommand:
     redisUsername: default
     redisPwd: ""
     redisSSL: false
-    redisCAPath: ""
+    redisSSLCAPath: ""
     redisSSLKeyfile: ""
     redisSSLCertfile: ""
-    redisCertReqs: required
-    redisCACerts: ""
+    redisSSLCertReqs: required
+    redisSSLCACerts: ""
+    redisSSLCheckHostname: true

src/common/config.py

@@ -20,6 +20,11 @@
     "db": int(os.getenv("REDIS_DB", 0)),
 }
 
+# When ssl_cert_reqs is "none", we should disable hostname checking by default
+# This matches the behavior of redis-cli --insecure flag
+default_check_hostname = "false" if REDIS_CFG["ssl_cert_reqs"] == "none" else "true"
+REDIS_CFG["ssl_check_hostname"] = os.getenv("REDIS_SSL_CHECK_HOSTNAME", default_check_hostname) in ("true", "1", "t")
+
 
 def parse_redis_uri(uri: str) -> dict:
     """Parse a Redis URI and return connection parameters."""
@@ -69,6 +74,8 @@ def parse_redis_uri(uri: str) -> dict:
             config["ssl_keyfile"] = query_params["ssl_keyfile"][0]
         if "ssl_certfile" in query_params:
             config["ssl_certfile"] = query_params["ssl_certfile"][0]
+        if "ssl_check_hostname" in query_params:
+            config["ssl_check_hostname"] = query_params["ssl_check_hostname"][0] in ("true", "1", "t")
 
         # Handle other parameters. According to https://www.iana.org/assignments/uri-schemes/prov/redis,
         # The database number to use for the Redis SELECT command comes from

src/common/connection.py

@@ -31,6 +31,7 @@ def get_connection(cls, decode_responses=True) -> Redis:
                         "ssl_certfile": REDIS_CFG["ssl_certfile"],
                         "ssl_cert_reqs": REDIS_CFG["ssl_cert_reqs"],
                         "ssl_ca_certs": REDIS_CFG["ssl_ca_certs"],
+                        "ssl_check_hostname": REDIS_CFG["ssl_check_hostname"],
                         "decode_responses": decode_responses,
                         "lib_name": f"redis-py(mcp-server_v{__version__})",
                         "max_connections_per_node": 10,
@@ -49,6 +50,7 @@ def get_connection(cls, decode_responses=True) -> Redis:
                         "ssl_certfile": REDIS_CFG["ssl_certfile"],
                         "ssl_cert_reqs": REDIS_CFG["ssl_cert_reqs"],
                         "ssl_ca_certs": REDIS_CFG["ssl_ca_certs"],
+                        "ssl_check_hostname": REDIS_CFG["ssl_check_hostname"],
                         "decode_responses": decode_responses,
                         "lib_name": f"redis-py(mcp-server_v{__version__})",
                         "max_connections": 10,

tests/test_config.py

@@ -80,6 +80,22 @@ def test_parse_uri_with_ssl_parameters(self):
         assert result["ssl_certfile"] == "/cert.pem"
         assert result["ssl_ca_path"] == "/ca.pem"
 
+    def test_parse_uri_with_ssl_check_hostname(self):
+        """Test parsing URI with ssl_check_hostname query parameter."""
+        uri = "rediss://localhost:6379/0?ssl_check_hostname=false"
+        result = parse_redis_uri(uri)
+
+        assert result["ssl"] is True
+        assert result["ssl_check_hostname"] is False
+
+    def test_parse_uri_with_ssl_check_hostname_true(self):
+        """Test parsing URI with ssl_check_hostname set to true."""
+        uri = "rediss://localhost:6379/0?ssl_check_hostname=true"
+        result = parse_redis_uri(uri)
+
+        assert result["ssl"] is True
+        assert result["ssl_check_hostname"] is True
+
     def test_parse_uri_defaults(self):
         """Test parsing URI with default values."""
         uri = "redis://example.com"
@@ -286,3 +302,73 @@ def test_config_from_environment(self, mock_load_dotenv):
         assert config["port"] == 6380
         assert config["ssl"] is True
         assert config["cluster_mode"] is True
+
+    @patch.dict(
+        os.environ,
+        {
+            "REDIS_SSL": "true",
+            "REDIS_SSL_CERT_REQS": "none",
+        },
+    )
+    @patch("src.common.config.load_dotenv")
+    def test_ssl_check_hostname_disabled_with_cert_reqs_none(self, mock_load_dotenv):
+        """Test that ssl_check_hostname is disabled by default when ssl_cert_reqs is none."""
+        # Re-import to get fresh config
+        import importlib
+
+        import src.common.config
+
+        importlib.reload(src.common.config)
+
+        config = src.common.config.REDIS_CFG
+
+        assert config["ssl"] is True
+        assert config["ssl_cert_reqs"] == "none"
+        assert config["ssl_check_hostname"] is False
+
+    @patch.dict(
+        os.environ,
+        {
+            "REDIS_SSL": "true",
+            "REDIS_SSL_CERT_REQS": "required",
+        },
+    )
+    @patch("src.common.config.load_dotenv")
+    def test_ssl_check_hostname_enabled_with_cert_reqs_required(self, mock_load_dotenv):
+        """Test that ssl_check_hostname is enabled by default when ssl_cert_reqs is required."""
+        # Re-import to get fresh config
+        import importlib
+
+        import src.common.config
+
+        importlib.reload(src.common.config)
+
+        config = src.common.config.REDIS_CFG
+
+        assert config["ssl"] is True
+        assert config["ssl_cert_reqs"] == "required"
+        assert config["ssl_check_hostname"] is True
+
+    @patch.dict(
+        os.environ,
+        {
+            "REDIS_SSL": "true",
+            "REDIS_SSL_CERT_REQS": "none",
+            "REDIS_SSL_CHECK_HOSTNAME": "true",
+        },
+    )
+    @patch("src.common.config.load_dotenv")
+    def test_ssl_check_hostname_override(self, mock_load_dotenv):
+        """Test that ssl_check_hostname can be explicitly overridden."""
+        # Re-import to get fresh config
+        import importlib
+
+        import src.common.config
+
+        importlib.reload(src.common.config)
+
+        config = src.common.config.REDIS_CFG
+
+        assert config["ssl"] is True
+        assert config["ssl_cert_reqs"] == "none"
+        assert config["ssl_check_hostname"] is True