Comments (7)
mp911de
commented on May 16, 2024
Support SSL on plain Redis Connections. Connect over sentinal and cluster are excluded because sentinel and cluster provide adresses by a redis-internal registry, external SSL port/address cannot be obtained for now.
Conneciton flags:
- SSL
true/false - StartTLS
true/false - Verify Peer
true/false(omit certificate validity/hostname check)
from lettuce.
mp911de
commented on May 16, 2024
Left todo:
- SSL Connection Builder
- Tests
- Create keys at build (in
Makefile) - Conditional tests with -Djavax.net.ssl.trustStore=keystore.jks
- Stunnel conf
- Setup stunnel in travis/snap-ci build. Should support Mac and *NIX for local build, too
stunnel.conf
cert = cert.pem
key = key.pem
capath = cert.pem
delay = yes
foreground = false
[redis]
accept = 127.0.0.1:6443
connect = 127.0.0.1:6479
Gen key/Import key to JKS
openssl genrsa -out key.pem 4096
openssl req -new -x509 -key key.pem -out cert.pem -days 1826 -subject "/O=lettuce/ST=Some-State/C=DE/CN=lettuce-test"
keytool -importcert -keystore keystore.jks -file stunnel/cert.pem -noprompt -storepass changeit
SSL Pseudo-Code
sslContext with InsecureTrustManagerFactory if verify == false
SSLEngine sslEngine = sslCtx.newEngine(ch.alloc(), isa.getHostString(), isa.getPort());
if(verify){
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);
}
from lettuce.
mp911de
commented on May 16, 2024
@kichik Pushed some SSL changes towards branch issue-28-ssl-support. Do you want to sneek peek?
from lettuce.
mp911de
commented on May 16, 2024
Build support done, connect waits for successful handshake. Still thinking about reconnect. A disconnect will lead to a reconnect, but if the remote peer will not validate against SSL rules (e. g. peer verification) this will end up in a endless loop. URI parser and docs need update too.
from lettuce.
kichik
commented on May 16, 2024
Thanks. I can help you test if you want, but I don't think I will use this in production. I do think it's super useful and should be merged to master, but we just have a few extra requirements that are already satisfied with the current solution. That said, I think access to SSLParams would provide even more flexibility.
from lettuce.
mp911de
commented on May 16, 2024
Thanks for your offer, would be great having someone else testing. SSL provides lots of fancy stuff (allowed ciphers, client certs and many more). I'd release the first version with basic SSL support, and I'm thinking on something that allows flexibility without adding unneccessary complexity.
from lettuce.
mp911de
commented on May 16, 2024
SSL support implemented
from lettuce.
Related Issues (20)
- Connection handshake fails with `ERR unknown command CLIENT, with args beginning with: SETINFO lib-name` HOT 4
- Kotlin ExperimentalLettuceCoroutinesApi annotation on sync multi DSL block is necessary? HOT 2
- Support publishing of long-lived JFR events to the `EventBus`
- Redis health check failed ConcurrentModificationException: null HOT 1
- Make WithLatency visable for better custmization HOT 2
- Tracing is enabled even when using DefaultClientResources
- Add option to customize expected exceptions in `DefaultEndpoint` HOT 1
- nested exception is java.lang.UnsupportedOperationException: io.lettuce.core.output.ValueOutput does not support set(long) HOT 2
- georaduis command execute error when use ReadFrom.REPLICA_PREFERRED HOT 9
- Hash Field Expiration Support
- SSL FULL verify seed connection, but only CA verify for cluster node connections
- Getting the keys from cache returns the wrong amount in cluster mode with replica enabled. HOT 1
- Is client side caching enabled by default in lettuce? If yes, Is there a way to not do client side caching in lettuce? HOT 1
- Seeing Warning Logs :: Cannot refresh Redis Cluster topology in 6.2.6.RELEASE
- After turning on topology refresh, lettuce log is written inside rocketmq-client.log. HOT 1
- Lettuce client reconnecting frequently
- Custom command with Lettuce occurs UnsupportedOperationException HOT 1
- Stateful redis cluster pubsub is not working HOT 1
- Why does lecttuce send lua script load command to all nodes (including replicas) in redis cluster?
- `DefaultClientResources.dnsResolver(DnsResolver resolver)` should be marked as deprecated.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lettuce.