New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Redis native TLS #1076
Comments
I'm using |
Hi @ilkkao, TLS support is to server-side proxies such as stunnel, hitch, and ghostunnel. I'm not sure if there's any difference between them and the native one. Pull requests for this are welcome! |
I'll try to find out what the difference between e.g stunnel and redis native TLS is, not sure yet. |
I just tested native TLS with 'redis:6.0-rc3-alpine' (docker) + ioredis v4.16.2 + nodejs v12 and it seems to work good. Client side:
Server side (redis.conf):
|
How did you generated these certificates? |
@agarwalkhushboo, You can use utils/gen-test-certs.sh to generate self-signed certificates. Also i found useful article |
I'll close this one. I believe all is good. If not, someone can open a more specific issue. |
Need an example :( @assaf-xm, what is ssl.* files? |
I am currently struggling with this. In redis.com it is possible to configure TLS without requiring client keys, just the CA authority .pem file, so this works using the cli for example (using the "redis fixed certificate" that you can download from your account page)
Whereas this does not work const redis = new Redis({
host: 'hostname',
port: <port>,
tls: {
ca: [ fs.readFileSync('path_to_ca_certfile', 'ascii') ]
}
}); Give the following error: Error: Connection is closed.
at close (/Users/manuelastudillo/Dev/taskforce/taskforce-backend/node_modules/ioredis/built/redis/event_handler.js:183:25)
at TLSSocket.<anonymous> (/Users/manuelastudillo/Dev/taskforce/taskforce-backend/node_modules/ioredis/built/redis/event_handler.js:150:20)
at Object.onceWrapper (events.js:417:26)
at TLSSocket.emit (events.js:322:22)
at net.js:672:12
at TCP.done (_tls_wrap.js:557:7) Interestingly in the official Redis documentation they only refer to an example using client certificates too: const Redis = require('ioredis');
const fs = require('fs');
const redis = new Redis({
host: 'hostname',
port: <port>,
tls: {
key: fs.readFileSync('path_to_keyfile', 'ascii'),
cert: fs.readFileSync('path_to_certfile', 'ascii'),
ca: [ fs.readFileSync('path_to_ca_certfile', 'ascii') ]
}
}); Any ideas? |
I'm able to connect to Redis Clould with the following code: const redis = new Redis({
host: "redis-xxxx.xxxxx.us-east-1-4.ec2.cloud.redislabs.com",
port: 12836,
tls: {
ca: [readFileSync("/Users/luin/Downloads/redislabs_ca.pem")],
},
password: "xxxxxx",
}); Or just: const redis = new Redis({
host: "redis-xxxx.xxxxx.us-east-1-4.ec2.cloud.redislabs.com",
port: 12836,
tls: "RedisCloudFixed",
password: "xxxxxx",
}); I'm using a fixed plan and the SSL config is: Do I miss something? |
Okok, got it. It was not the connection itself, it works by using one of the built-in profiles, the problem comes when issueing a quit() command, check this out:
Prints the info correctly but then fails with this error: (node:87282) UnhandledPromiseRejectionWarning: Error: Connection is closed.
at close (/xxx/node_modules/ioredis/built/redis/event_handler.js:183:25)
at TLSSocket.<anonymous> (/xxx/node_modules/ioredis/built/redis/event_handler.js:150:20)
at Object.onceWrapper (events.js:417:26)
at TLSSocket.emit (events.js:322:22)
at net.js:672:12
at TCP.done (_tls_wrap.js:557:7) Weird, does not happen with other non TLS connections or other non redislabs TLS connections AFAIK. |
I think it's a server side implementation issue that when receiving the
We can probably ignore connection close errors for the |
Hmm ok. So maybe it is Redis SSL implementation that is handling the quit command differently than non SSL, and since all the other Redis cloud providers implement TLS using a proxy service they are not affected by this. |
I've contacted Redis Cloud support about this as we are seeing the same issue on our servers, will keep you guys updated as well. |
Got this back:
Do you see this as something we can add a workaround for in ioredis @luin? Something along the lines of resolving the quit command when the server is closed as a response to it? Probably similar to this: https://github.com/luin/ioredis/pull/720/files |
Thanks for the update! Personally, I'd just wait for their fix. Feel a little too much to land a workaround on ioredis for this. No strong opinion though. |
I couldn't find an existing issue about this so asking here:
Redis 6 (currently in rc phase) supports TLS natively. Details here: https://redis.io/topics/encryption
I built Redis 6 with TLS support and created certs as instructed in Redis
TLS.md
file. I then tried to connect to it using ioredis:Should this work? My redis instance responds
17266:M 12 Mar 2020 15:12:14.455 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
The text was updated successfully, but these errors were encountered: