Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION]TLS support for AWS Elasticache Cluster #332

Closed
walkingerica opened this issue Mar 7, 2022 · 7 comments
Closed

[QUESTION]TLS support for AWS Elasticache Cluster #332

walkingerica opened this issue Mar 7, 2022 · 7 comments

Comments

@walkingerica
Copy link

Describe the problem
We are using Redis Cluster in AWS Elasticache and trying to access it with redis-plus-plus. Now non-auth(TLS) cluster is accessed successfully, but auth cluster is failed to connect. It is handing there and without any errors, the command is "./build/test/test_redis++ -a *** -n clusterhost -c 6379". Any hints here, thank you!

During building the hiredis, we open TLS support as mentioned in the Readme.
hiredis:
make USE_SSL=1
make USE_SSL=1 install

redisplusplus:
cmake -DREDIS_PLUS_PLUS_USE_TLS=ON -DREDIS_PLUS_PLUS_CXX_STANDARD=17 ..
make
make install

Environment:

  • OS: [e.g. ubuntu]
  • Compiler: [e.g. gcc 7.5.0]
  • hiredis version: [latest]
  • redis-plus-plus version: [lastest]
@sewenew
Copy link
Owner

sewenew commented Mar 7, 2022

Sorry, but test_redis++ does not work with TLS.

You can write a simple code to do the test (check README for code example). Do not forget to specify certificate file related info.

Regards

@walkingerica
Copy link
Author

walkingerica commented Mar 8, 2022
edited
Loading

Thank you @sewenew , I checked the test code and found it doesnot contain TLS code. Tried the sample code, but met the following errors. The TLS needs certificate, but I am thinking it does not suit for Elasticache since the password is used instead of certificate. I saw a similar question here, but not sure if this is resolved. Thank you!!!

/usr/local/lib/libredis++.a(connection.cpp.o): In function sw::redis::Connection::Connection(sw::redis::ConnectionOptions const&)': connection.cpp:(.text+0x1b5d): undefined reference to redisFreeSSLContext'
connection.cpp:(.text+0x1b6c): undefined reference to redisFreeSSLContext' connection.cpp:(.text+0x2059): undefined reference to redisFreeSSLContext'
/usr/local/lib/libredis++.a(connection.cpp.o): In function sw::redis::Connection::reconnect()': connection.cpp:(.text+0x20e7): undefined reference to redisFreeSSLContext'
/usr/local/lib/libredis++.a(redis_cluster.cpp.o): In function sw::redis::RedisCluster::subscriber()': redis_cluster.cpp:(.text+0x3c8): undefined reference to redisFreeSSLContext'
/usr/local/lib/libredis++.a(redis_cluster.cpp.o):redis_cluster.cpp:(.text._ZN2sw5redis10ConnectionD2Ev[_ZN2sw5redis10ConnectionD5Ev]+0x11): more undefined references to redisFreeSSLContext' follow /usr/local/lib/libredis++.a(tls.cpp.o): In function sw::redis::tls::secure_connection(redisContext&, sw::redis::tls::TlsOptions const&)':
tls.cpp:(.text+0xe4): undefined reference to redisCreateSSLContext' tls.cpp:(.text+0xfc): undefined reference to redisInitiateSSLWithContext'
tls.cpp:(.text+0x1f8): undefined reference to redisSSLContextGetError' tls.cpp:(.text+0x2f6): undefined reference to redisFreeSSLContext'
/usr/local/lib/libredis++.a(tls.cpp.o): In function sw::redis::tls::TlsInit::TlsInit()': tls.cpp:(.text+0x4d): undefined reference to redisInitOpenSSL'
collect2: error: ld returned 1 exit status

@sewenew
Copy link
Owner

sewenew commented Mar 8, 2022
edited
Loading

Tried the sample code, but met the following errors.

Looks like you did not link hiredis_ssl. In order to use TLS, you should link both hiredis and hiredis_ssl: libhiredis.a and libhiredis_ssl.a, or -lhiredis and -lhiredis_ssl.

The TLS needs certificate, but I am thinking it does not suit for Elasticache since the password is used instead of certificate.

So far, hiredis does not support skipping certificate verification. Since redis-plus-plus is based on hiredis, so it still needs a certificate file. Check this for detail.

Once hiredis has support for skipping certificate verification, redis-plus-plus will automatically support it. It seems that hiredis has not fix it yet (there's a PR to fix the problem, but not merged yet).

Also, you might want to try the stunnel solution mentioned here. So that you don't need to make the client support TLS.

Regards

@walkingerica
Copy link
Author

Thanks a lot, got you!

Looks like you did not link hiredis_ssl. In order to use TLS, you should link both hiredis and hiredis_ssl: libhiredis.a and libhiredis_ssl.a, or -lhiredis and -lhiredis_ssl.
--- I used actually.

Elasticache is using Auth/Password instead of certificate since its source is a reliable. I like to check if the Auth is supported by the RedisPlusPlus since I saw some hiredis examples are listed with Auth instead of certificate.

@sewenew
Copy link
Owner

sewenew commented Mar 9, 2022

If hiredis already has the support, redis-plus-plus should work too. Since it's based on hiredis.

Not sure if the example might use stunnel solution as I mentioned above.

Regards

@walkingerica
Copy link
Author

If hiredis already has the support, redis-plus-plus should work too. Since it's based on hiredis.

Not sure if the example might use stunnel solution as I mentioned above.

Regards

Samples from redis offcial https://docs.redis.com/latest/rs/references/client_references/client_c/ and huawei site https://support.huaweicloud.com/intl/en-us/usermanual-dcs/dcs-ug-0312010.html ,and they doesnot mention stunnel.

@sewenew
Copy link
Owner

sewenew commented May 2, 2022

Since there's no update, I'll close this issue.

Regards

@sewenew sewenew closed this as completed May 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sewenew @walkingerica