Jump to solution
Verify

redis-py Asking for an option to deactivate x509 strict mode for TLS connections (Fix)

Fixed
Spec
Package
redis-py
Fixed In
7.1.0
Python
3.13
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.46
#3685 ai auth security tls Updated: 2026-02-13
Issue #3685

The Fix

pip install redis==7.1.0

Based on closed redis/redis-py issue #3685 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -81,10 +81,11 @@ if TYPE_CHECKING and SSL_AVAILABLE: - from ssl import TLSVersion, VerifyMode + from ssl import TLSVersion, VerifyFlags, VerifyMode else:
repro.py
import os import ssl from typing import Mapping from redis.asyncio import Redis as AsyncRedis from redis.asyncio import SSLConnection class RelaxedSSLConnection(SSLConnection): def _connection_arguments(self) -> Mapping: kwargs = super()._connection_arguments() ssl_context = self.ssl_context.get() if hasattr(ssl, "VERIFY_X509_STRICT"): ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_STRICT if hasattr(ssl, "VERIFY_X509_PARTIAL_CHAIN"): ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_PARTIAL_CHAIN kwargs["ssl"] = ssl_context # type: ignore return kwargs _redis_connection = AsyncRedis( host=HOST, port=PORT, ssl=True, ssl_ca_certs=os.path.expanduser(REDIS_TLS_CERT_LOCATION), ssl_cert_reqs="required", ) _redis_connection.connection_pool.connection_class = RelaxedSSLConnection
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install redis==7.1.0\nWhen NOT to use: This fix should not be used if strict certificate verification is required for security compliance.\n\nOption C — Workaround\nI'm using temporarily until this is fixed:\nWhen NOT to use: This fix should not be used if strict certificate verification is required for security compliance.\n\n

Why This Fix Works in Production

  • Trigger: Asking for an option to deactivate x509 strict mode for TLS connections
  • Mechanism: Added support for configuring SSL verify flags in Redis-py to address issues with Python 3.13's strict x509 mode.
  • Why the fix works: Added support for configuring SSL verify flags in Redis-py to address issues with Python 3.13's strict x509 mode. (first fixed release: 7.1.0).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.13 in real deployments (not just unit tests).
  • Production symptom (often without a traceback): Asking for an option to deactivate x509 strict mode for TLS connections

Proof / Evidence

  • GitHub issue: #3685
  • Fix PR: https://github.com/redis/redis-py/pull/3772
  • First fixed release: 7.1.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.46

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Hacky workaround I'm using temporarily until this is fixed:”
@danconnell · 2025-08-26 · confirmation · source
“Hi @devl00p, You're absolutely right — at the moment, it's not possible to configure verify_flags for the client's SSL context”
@petyaslavova · 2025-06-27 · source
“I could test the beta release and I can tell it works well :) Thank you Will a stable release be available soon ?”
@devl00p · 2025-09-30 · source
“> I could test the beta release and I can tell it works well :) Thank you > > Will a stable release be available…”
@petyaslavova · 2025-10-02 · source

Failure Signature (Search String)

  • Asking for an option to deactivate x509 strict mode for TLS connections
  • This is related to the Python 3.13 change: https://docs.python.org/3/whatsnew/3.13.html#ssl
Copy-friendly signature
signature.txt
Failure Signature ----------------- Asking for an option to deactivate x509 strict mode for TLS connections This is related to the Python 3.13 change: https://docs.python.org/3/whatsnew/3.13.html#ssl

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Asking for an option to deactivate x509 strict mode for TLS connections This is related to the Python 3.13 change: https://docs.python.org/3/whatsnew/3.13.html#ssl

Minimal Reproduction

repro.py
import os import ssl from typing import Mapping from redis.asyncio import Redis as AsyncRedis from redis.asyncio import SSLConnection class RelaxedSSLConnection(SSLConnection): def _connection_arguments(self) -> Mapping: kwargs = super()._connection_arguments() ssl_context = self.ssl_context.get() if hasattr(ssl, "VERIFY_X509_STRICT"): ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_STRICT if hasattr(ssl, "VERIFY_X509_PARTIAL_CHAIN"): ssl_context.verify_flags = ssl_context.verify_flags & ~ssl.VERIFY_X509_PARTIAL_CHAIN kwargs["ssl"] = ssl_context # type: ignore return kwargs _redis_connection = AsyncRedis( host=HOST, port=PORT, ssl=True, ssl_ca_certs=os.path.expanduser(REDIS_TLS_CERT_LOCATION), ssl_cert_reqs="required", ) _redis_connection.connection_pool.connection_class = RelaxedSSLConnection

Environment

  • Python: 3.13

What Broke

Jobs could not access the Redis instance, resulting in downtime for applications relying on Redis.

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install redis==7.1.0

When NOT to use: This fix should not be used if strict certificate verification is required for security compliance.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option C — Workaround Temporary workaround

I'm using temporarily until this is fixed:

When NOT to use: This fix should not be used if strict certificate verification is required for security compliance.

Use only if you cannot change versions today. Treat this as a stopgap and remove once upgraded.

Fix reference: https://github.com/redis/redis-py/pull/3772

First fixed release: 7.1.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if strict certificate verification is required for security compliance.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
7.1.0 Fixed

Related Issues

No related fixes found.

Cluster: redis-py:configuration-error redis-py hub redis-py best practices All hubs All clusters
Related clusters: Retry storm Data consistency Race condition

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #3685. Not affiliated with the library maintainers. Verify before production use.