Redis v6 - Cluster & Client TLS support?

[Kyle Tait]

Hi,

Does anyone know if the new V6 RC1 release includes TLS support for both client and cluster (node to node)?

Thanks,

Kyle

[Itamar Haber]

Hello Kyle,

Yes: server-client, master-replica and cluster bus are TLS-able. You can check this PR for the details https://github.com/antirez/redis/pull/6236, or review the relevant configuration directives in the redis.conf file:

# If TLS/SSL clients are required to authenticate using a client side
# certificate, use this directive.
#
# Note: this applies to all incoming clients, including replicas.
#
# tls-auth-clients yes

# If TLS/SSL should be used when connecting as a replica to a master, enable
# this configuration directive:
#
# tls-replication yes

# If TLS/SSL should be used for the Redis Cluster bus, enable this configuration
# directive.
#
# NOTE: If TLS/SSL is enabled for Cluster Bus, mutual authentication is always
# enforced.
#
# tls-cluster yes

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/49a126a7-59ec-4f4b-b50f-a51957411d41%40googlegroups.com.

--

Itamar Haber Technicalist Evangely Phone: +972.54.567.9692

[Greg Andrews]

Hi Itamar,

Are three options for checking the validity of the Certificate Authority that signed the certificates?  Open source software usually has three levels:

1. Must be signed by any CA (such as self-signed)
2. Must be signed by one of the CAs that I can find in my list/directory of trusted CAs
3. Must be signed by one specific CA

There are very often use cases that want to consider only one specific CA as valid for TLS connections between masters and replicas (or Cluster members), but a looser list of valid CAs for TLS connections from "ordinary" clients that are not masters/replicas.

The option of having list of valid CAs can become very important for groups of Redis servers that support replication to different data centers and/or locations (regions) because the instances that need to connect to each other may be running on hosts in different DNS domains with TLS certificates signed by different CAs.

To unsubscribe from this group and stop receiving emails from it, send an email to redi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/49a126a7-59ec-4f4b-b50f-a51957411d41%40googlegroups.com.

[Greg Andrews]

I meant:

Are there options for checking ...

[Kyle Tait]

Thanks Itamar!

To unsubscribe from this group and stop receiving emails from it, send an email to redi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/49a126a7-59ec-4f4b-b50f-a51957411d41%40googlegroups.com.

[abhishek yadav]

Hi All,

I am facing issue in setting up a Redis cluster over 3 containers(each container being hosted on 3 different linux machine).

I have been following the procedure as mentioned https://redis.io/topics/cluster-tutorial.

Here it says to follow the Host networking option for configuring redis over the containers, then i am worried, my all 3 containers are on separate host, in that case how would they be communicating?

Is there anyone who has configured Redis cluster over containers or has any idea what networking option should be used  on containers, would be of great help to me.

Alternatively if someone can suggest how to setup Redis cluster over container, each containers hosted on separate machine.

Regards,

Abhishek 

--

You received this message because you are subscribed to the Google Groups "Redis DB" group.

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.

[Itamar Haber]

Heya Greg,

Disclaimer: I'm yet to grok TLS. That said, from what I see, there appears to be a single CA bundle for a server, so I'd say no. This would be a good feature request to make in the repo.

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/853882a3-0189-4a4c-82fa-d6b475b1c458%40googlegroups.com.

[Kyle Tait]

Hi Itamar,

With TLS in the redis.conf configuration file i can see no option to specify an advertise address for example the server hostname, so with the certificate common name is the only option to use the host IP?

My goal is to enable "tls-auth-clients" and "tls-cluster" and use a certificate for each node with the common name being the host FQDN. 

Thanks,

Kyle

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/853882a3-0189-4a4c-82fa-d6b475b1c458%40googlegroups.com.

[Itamar Haber]

Heya Kyle,

Presently there is no such option - please feel free to open a Feature Request issue in the repo for this.

Cheers, 

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/f564d1cc-9f52-4d57-b6d0-a64637c31c5b%40googlegroups.com.

[游清凡]

Hi Itamar,

I am going to compare performance with using Stunnel and redisv6 TLS, but redis-bench seems not support TLS.

I try add cliSecureConnection after redisConnectNonBlock, but not work.

redisConnectNonBlock do not print any error, but when send command get log below

29:M 25 Feb 2020 07:26:35.423 # Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Do you have any suggestion

Itamar Haber於 2020年1月20日星期一 UTC+8下午10時52分30秒寫道：

To unsubscribe from this group and stop receiving emails from it, send an email to redi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/49a126a7-59ec-4f4b-b50f-a51957411d41%40googlegroups.com.

[Itamar Haber]

Hello 游清凡,

Instead of hacking redis-benchmark to do TLS (which is good, don't get me wrong, and if you complete it please PR it ;)) and until official support has been added to it, you can try using memtier_benchmark (https://github.com/RedisLabs/memtier_benchmark) as a TLS-enabled alternative.

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/6e3479f0-ae5b-4110-be6f-c7e38eaa36b1%40googlegroups.com.

--

Itamar Haber Technicalist Evangely Phone: +972.54.567.9692

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here.