[QUESTION]TLS support for AWS Elasticache Cluster

[walkingerica]

Describe the problem We are using Redis Cluster in AWS Elasticache and trying to access it with redis-plus-plus. Now non-auth(TLS) cluster is accessed successfully, but auth cluster is failed to connect. It is handing there and without any errors, the command is "./build/test/test_redis++ -a *** -n clusterhost -c 6379". Any hints here, thank you!

During building the hiredis, we open TLS support as mentioned in the Readme. hiredis: make USE_SSL=1 make USE_SSL=1 install

redisplusplus: cmake -DREDIS_PLUS_PLUS_USE_TLS=ON -DREDIS_PLUS_PLUS_CXX_STANDARD=17 .. make make install

Environment:

• OS: [e.g. ubuntu]
• Compiler: [e.g. gcc 7.5.0]
• hiredis version: [latest]
• redis-plus-plus version: [lastest]

[sewenew]

Sorry, but test_redis++ does not work with TLS.

You can write a simple code to do the test (check README for code example). Do not forget to specify certificate file related info.

Regards

[walkingerica]

Thank you @sewenew , I checked the test code and found it doesnot contain TLS code. Tried the sample code, but met the following errors. The TLS needs certificate, but I am thinking it does not suit for Elasticache since the password is used instead of certificate. I saw a similar question here, but not sure if this is resolved. Thank you!!!

/usr/local/lib/libredis++.a(connection.cpp.o): In function sw::redis::Connection::Connection(sw::redis::ConnectionOptions const&)': connection.cpp:(.text+0x1b5d): undefined reference toredisFreeSSLContext' connection.cpp:(.text+0x1b6c): undefined reference to redisFreeSSLContext' connection.cpp:(.text+0x2059): undefined reference toredisFreeSSLContext' /usr/local/lib/libredis++.a(connection.cpp.o): In function sw::redis::Connection::reconnect()': connection.cpp:(.text+0x20e7): undefined reference toredisFreeSSLContext' /usr/local/lib/libredis++.a(redis_cluster.cpp.o): In function sw::redis::RedisCluster::subscriber()': redis_cluster.cpp:(.text+0x3c8): undefined reference toredisFreeSSLContext' /usr/local/lib/libredis++.a(redis_cluster.cpp.o):redis_cluster.cpp:(.text._ZN2sw5redis10ConnectionD2Ev[_ZN2sw5redis10ConnectionD5Ev]+0x11): more undefined references to redisFreeSSLContext' follow /usr/local/lib/libredis++.a(tls.cpp.o): In functionsw::redis::tls::secure_connection(redisContext&, sw::redis::tls::TlsOptions const&)': tls.cpp:(.text+0xe4): undefined reference to redisCreateSSLContext' tls.cpp:(.text+0xfc): undefined reference toredisInitiateSSLWithContext' tls.cpp:(.text+0x1f8): undefined reference to redisSSLContextGetError' tls.cpp:(.text+0x2f6): undefined reference toredisFreeSSLContext' /usr/local/lib/libredis++.a(tls.cpp.o): In function sw::redis::tls::TlsInit::TlsInit()': tls.cpp:(.text+0x4d): undefined reference toredisInitOpenSSL' collect2: error: ld returned 1 exit status

[sewenew]

Tried the sample code, but met the following errors.

Looks like you did not link hiredis_ssl. In order to use TLS, you should link both hiredis and hiredis_ssl: libhiredis.a and libhiredis_ssl.a, or -lhiredis and -lhiredis_ssl.

The TLS needs certificate, but I am thinking it does not suit for Elasticache since the password is used instead of certificate.

So far, hiredis does not support skipping certificate verification. Since redis-plus-plus is based on hiredis, so it still needs a certificate file. Check this for detail.

Once hiredis has support for skipping certificate verification, redis-plus-plus will automatically support it. It seems that hiredis has not fix it yet (there's a PR to fix the problem, but not merged yet).

Also, you might want to try the stunnel solution mentioned here. So that you don't need to make the client support TLS.

Regards

[walkingerica]

Thanks a lot, got you!

Looks like you did not link hiredis_ssl. In order to use TLS, you should link both hiredis and hiredis_ssl: libhiredis.a and libhiredis_ssl.a, or -lhiredis and -lhiredis_ssl. --- I used actually.

Elasticache is using Auth/Password instead of certificate since its source is a reliable. I like to check if the Auth is supported by the RedisPlusPlus since I saw some hiredis examples are listed with Auth instead of certificate.

[sewenew]

If hiredis already has the support, redis-plus-plus should work too. Since it's based on hiredis.

Not sure if the example might use stunnel solution as I mentioned above.

Regards

[walkingerica]

If hiredis already has the support, redis-plus-plus should work too. Since it's based on hiredis.

Not sure if the example might use stunnel solution as I mentioned above.

Regards

Samples from redis offcial https://docs.redis.com/latest/rs/references/client_references/client_c/ and huawei site https://support.huaweicloud.com/intl/en-us/usermanual-dcs/dcs-ug-0312010.html ，and they doesnot mention stunnel.

[sewenew]

Since there's no update, I'll close this issue.

Regards