Skip to content

Make it easier to use user certificate files#2873

Merged
mgravell merged 3 commits intomainfrom
user-cert
Apr 15, 2025
Merged

Make it easier to use user certificate files#2873
mgravell merged 3 commits intomainfrom
user-cert

Conversation

@mgravell
Copy link
Collaborator

@mgravell mgravell commented Apr 12, 2025
edited
Loading

Historically, certs only worked with PFX files, which made it a pain to work with the cert pairs typically downloaded from hosts like Redis Ltd; however, on more recent .NET versions PEM is fully available. Here, we:

  • add new methods on ConfigurationOptions (akin to the existing TrustIssuer method) to configure certificates from files
  • support PEM in the ambient setup

There are no tests added here, due to the inherent problems of CI talking to such servers; however:

 var options = ConfigurationOptions.Parse("redis-redacted.redislabs.com:4242"); // port also redacted
 options.TrustIssuer(@"C:\Code\RedisKeys\redis_ca.pem");
 options.SetUserPemCertificate(@"C:\Code\RedisKeys\redis-redacted.crt", @"C:\Code\RedisKeys\redis-redacted.key");
 using var conn = await ConnectionMultiplexer.ConnectAsync(options);
 for (int i = 0; i < 10; i++)
 {
     var ttl = await conn.GetDatabase().PingAsync();
     Console.WriteLine(ttl);
 }

works with the files downloaded from my hosted Redis Ltd endpoint:

image

To @philon-msft : open question: can we check Azure Redis with similar?

^^^ update: Philo assures me that Azure Redis doesn't have any relevant client-cert scenarios to consider

@mgravell
Copy link
Collaborator Author

mgravell commented Apr 12, 2025

In particular: contrast this to the recommended approach currently on my hosted Redis Ltd instance:

 configurationOptions.CertificateSelection += delegate
        {
            return new X509Certificate2(
                "<path_to_redis.pfx_file>",
                "<pfx_file_password>"
            );
        };

Which a: requires additional manual steps to export the pem/key file to pfx, which isn't trivial, and b: is more additional work. Sure: if you want more control, it is great to have the full options, but most people will just have the file pair.

@mgravell
Copy link
Collaborator Author

mgravell commented Apr 12, 2025

also /cc @atakavci to a: see if there's any feedback from the Redis side, and b: (future, obvs) see if we can get updating the cloud console updated to suggest this approach.

NickCraver
NickCraver approved these changes Apr 15, 2025
View reviewed changes
Copy link
Collaborator

@NickCraver NickCraver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One quick comment - TODOs: get test server setup and docs here as follow-ups

src/StackExchange.Redis/PhysicalConnection.cs Outdated
if (!string.IsNullOrEmpty(pfxStorageFlags))
{
var tmp = Enum.Parse(typeof(X509KeyStorageFlags), pfxStorageFlags) as X509KeyStorageFlags?;
if (tmp is not null) storageFlags = tmp.GetValueOrDefault();
Copy link
Collaborator

@NickCraver NickCraver Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use .TryParse a bit simpler here

Copy link
Collaborator Author

@mgravell mgravell Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done: 7a9208f

@mgravell
- release notes
7a9208f 
- use Enum.TryParse for the X509 flags
@mgravell mgravell merged commit 328b4b5 into main Apr 15, 2025
5 of 8 checks passed
@mgravell mgravell deleted the user-cert branch April 15, 2025 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickCraver NickCraver NickCraver approved these changes

@philon-msft philon-msft Awaiting requested review from philon-msft

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mgravell @NickCraver