TLS configuration for clients

[jouir]

Hello folks,

Many open source databases use TLS including Valkey. The valkey-go library implements the rediss scheme (defined in the redis-specifications repository).

Many open source databases have their own way to configure TLS:

• MySQL: ssl-mode (DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY)
• PostgreSQL: sslmode (disable, allow, prefer, require, verify-ca, verify-full)
• MongoDB: tls, tlsAllowInvalidHostnames, tlsAllowInvalidCertificates (the go client even have an out-of-spec option tlsinsecure)
• ClickHouse: secure, skip_verify

For Valkey, there's no specification for TLS options except to use it (rediss://) or not (redis://). If we want to use insecure TLS, we can provide a TLS configuration to the Go driver (like skip_verify for ClickHouse) but it's specific to the language.

That would be great to have query parameters in the URL to define TLS options that all clients could implement. Either a mode (like MySQL and PostgreSQL) or a combination of parameters (like MongoDB).

What do you think?

[jouir]

It turns out MongoDB also have a tlsMode (disabled, allowTLS, preferTLS, requireTLS).

There's already a ssl_check_hostname option to ignore hostname verification on the Python client. This is not written in the scheme specification but it's implemented. So the easiest option is to use language specific option. The Go consensus seems to be skip_verify. I'm going to create a pull request then.

[jouir]

Merged in valkey-io/valkey-go#22