Look into support for secure TLS connections to memcached/redis servers

[TysonAndre]

Resources: https://github.com/memcached/memcached/blob/master/testapp.c https://wiki.openssl.org/index.php/SSL/TLS_Client https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_new.html

Related to https://github.com/twitter/twemproxy/issues/583

This would probably be done by

• Adding a tls: true section to twemproxy pool configuration files
• Adding a ./configure option to depend on openssl
• Changing callers of nc_write/nc_writev to call a helper method for the nc_conn instead

[selverob]

Just as an example of how this could be useful / enable new use cases: We're using Google's Memorystore for Redis. Unfortunately, its network connection patterns require the instances to be exposed to our whole (large) VPC. For security, we use TLS and Redis AUTH commands. However, handling that that puts some load on developers of services which use Redis.

These services run in Kubernetes with Istio, so we were looking into deploying Twemproxy into each cluster and having it handle the TLS termination and AUTH strings and letting services running in the clusters just connect without authentication or TLS, with the access policy being handled by Istio. However, the lack of TLS support is kind of blocking this use case for us.

[marcelobartsch-jt]

for AWS ElastiCache for Redis, AUTH is only possible over TLS, so this is also something we would love to have so we can use ElastiCache with AUTH as there is no way to use it without TLS :(

[criess]

Also for our usecase twemproxy terminating TLS connections from caching backends would be cools as our caching servers are available on internet and for then obvious security reason should only communicate inside TLS connections.