error connecting with SSL

[adobeturchenko]

I'm trying to connect to SSL Redis server and getting connection error.
(I tried to connect to the same server using redis-cli with hostname and a password and it works fine)

ConnectionOptions opts;
opts.host = <some_hostname>;
opts.port = 6380;
opts.tls.enabled = true;
opts.password = <some_password>;

Error I got is not very informative:
redis error: Failed to initialize TLS connection: SSL_connect failed: (null)

After modifying hiredis it gave me something better:
redis error: Failed to initialize TLS connection: SSL_connect failed: certificate verify failed

It looks like the code (SSL_get_verify_result(ssl) == 20) refers to:
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

I'm likely doing something wrong. But what? (again, redis-cli works fine)

[sewenew]

Since you enabled ConnectionOptions::tls::enable, you need to specify other TLS options, e.g. certification file, key file. Please check the doc for detail.

I tried to connect to the same server using redis-cli with hostname and a password and it works fine

Did you connect Redis with TLS enabled? If you did, you should set TLS options with command line arguments. For example:

./src/redis-cli --tls \
        --cert ./tests/tls/redis.crt \
        --key ./tests/tls/redis.key \
        --cacert ./tests/tls/ca.crt

You can use these command line arguments to set ConnectionOptions::tls

Regards

[adobeturchenko]

Actually I connected in redis-cli without specifying certificates:
redis-cli --tls -h < some_hostname > -p 6380
and after authentication was able to set/get values.

Also jedis (Java client) connects and all tests pass without certificates on the same host.
Redis++ documentation states that those certificates are optional:
opts.tls.enabled = true; // Required. false by default.
opts.tls.cert = "/path/to/client/certificate"; // Optional
opts.tls.key = "/path/to/private/key/file"; // Optional
opts.tls.cacert = "/path/to/CA/certificate/file"; // Optional
opts.tls.sni = "server-name-indication"; // Optional

[adobeturchenko]

I think I've figured it out...
redis-cli has an option to skip certificate verification:
SSL_CTX_set_verify(ssl_ctx, config.skip_cert_verify ? SSL_VERIFY_NONE : SSL_VERIFY_PEER, NULL);
I don't see such option in redis-plus-plus but maybe I need to look again.

[sewenew]

@adobeturchenko Thanks for pointing it out!

It seems that this is a new feature for redis-cli, and it has not been supported by hiredis:

    SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);

So redis-plus-plus cannot skip the verification so far.

Sorry for that. I'll keep an eye on this hiredis' progress on this problem, and if hiredis fixes it, I'll make redis-plus-plus supports this feature.

Regards

[adobeturchenko]

After another round of research I've found actual missing code in hiredis:

diff --git a/ssl.c b/ssl.c
index c856bbc..726706a 100644
--- a/ssl.c
+++ b/ssl.c
@@ -273,6 +273,11 @@ redisSSLContext *redisCreateSSLContext(const char *cacert_filename, const char *
             if (error) *error = REDIS_SSL_CTX_CA_CERT_LOAD_FAILED;
             goto error;
         }
+    } else {
+        if (!SSL_CTX_set_default_verify_paths(ctx->ssl_ctx)) {
+            printf( "!!!!   Failed to use default CA paths\n");
+            goto error;
+        }
     }
 
     if (cert_filename) {

According to OpenSSL:
SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used. There is one default directory and one default file. The default CA certificates directory is called "certs" in the default OpenSSL directory.

It can be fixed in hiredis or maybe in redis++ similar to how redis-cli is doing it (they also have dependency on hiredis) - construct SSL object inside redis++ and pass it with redisInitiateSSL() (redis++ uses redisInitiateSSLWithContext() and relies on hiredis to deal with SSL as I understand).

[sewenew]

I think it's better to make hiredis to support it, so that redis-plus-plus can be consistent with it.

I've created a pull request to hiredis: #927. When it's done, I'll port it to redis-plus-plus.

Regards

[sewenew]

Since hiredis already supports skipping certificate verification, I added this support for redis-plus-plus. In order to use this feature, you need to install hiredis v1.1.0 or above with TSL support.

ConnectionOptions opts;
opts.host = "127.0.0.1";
opts.port = 6379;
opts.tls.enabled = true;
opts.tls.verify_mode = REDIS_SSL_VERIFY_NONE;   // DO NOT verify certificate.
auto r = Redis(opts);
std::cout << r.ping() << std::endl;

Regards

[sewenew]

I’ll publish a new release these days with some other changes. I’ll let you know when I’m done. Regards

…

________________________________ 发件人: Ganesh ***@***.***> 发送时间: Thursday, April 27, 2023 8:14:47 PM 收件人: sewenew/redis-plus-plus ***@***.***> 抄送: sewenew ***@***.***>; Mention ***@***.***> 主题: Re: [sewenew/redis-plus-plus] error connecting with SSL (#183) @sewenew<https://github.com/sewenew> Can you please release a new version with this change ? ― Reply to this email directly, view it on GitHub<#183 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWWTAPXB7GAGOTKOJE6SSLXDJPLPANCNFSM4Y4427CA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[sewenew]

I’ve already published a release with this feature. Regards

…

________________________________ 发件人: Ganesh ***@***.***> 发送时间: Thursday, April 27, 2023 8:14:47 PM 收件人: sewenew/redis-plus-plus ***@***.***> 抄送: sewenew ***@***.***>; Mention ***@***.***> 主题: Re: [sewenew/redis-plus-plus] error connecting with SSL (#183) @sewenew<https://github.com/sewenew> Can you please release a new version with this change ? ― Reply to this email directly, view it on GitHub<#183 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWWTAPXB7GAGOTKOJE6SSLXDJPLPANCNFSM4Y4427CA>. You are receiving this because you were mentioned.Message ID: ***@***.***>