Redis via ssl and nc 21.0.3

Hi @all,
for security reasons in my case the connection between the NC instance an the redis server must be encrypted. For redis itself it is not problem and from the command line I can access it. But how must I this configured in the nc config?
Here my relevant part:

'memcache.locking' => '\OC\Memcache\Redis',
'memcache.distributed' => '\OC\Memcache\Redis',
'redis' => [
 'host' => 'foo.foo.foo',
'port' => '6379',
'password' => [
   'user' => 'my_user',
   'password' => 'my_pw,
  ],
],

But when nc connects to the redis server it fails on redis with:
Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=8)
So for me it looks like ssl/tls is not in use.
In the phpredis sample code there are lines like this:

$redis->pconnect('tls://127.0.0.1', 6379); // enable transport level security.

But set the host name simple to tls://ffo… will only result in an hanging php.

Environment:
PHP: 7.4.21
OS: CentOS8
phpredis: php74-php-pecl-redis5-5.3.4-1.el8.remi.x86_64
Redis: redis-6.0.9

Thank for any ideas.

Now I have found the problem. NC can’t handle redis6 :frowning:
Only after an dirty hack redis 6 will work:
/lib/private/RedisFactory.php:

if (isset($config['password']) && $config['password'] !== '') {
                                $this->instance->auth([$config['user'], $config['password']]);
                        }

I added an user filed. And set phpredis only to use tls1.2 because there exits an bug using tls 1.3 under php:

My new config:

'memcache.locking' => '\OC\Memcache\Redis',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.local' =>'\OC\Memcache\Redis' ,
'redis' => [
 'host' => 'tlsv1.2://foo.foo.foo',
'port' => '6379',
'password' => 'my_pw',
'user' => 'my_user'
],

I hope it will fixed by the developers.

Hi,

Could you share your redis.conf please?

Hi @skjnldsv ,
here are the uses redis.conf. I only have removed the ip address for security reasons and the comments.

bind XXX.XXX.XXX.XXX
protected-mode yes
port 0
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize no
supervised no
pidfile /var/run/redis_6379.pid
loglevel notice
logfile /var/log/redis/redis.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
rdb-del-sync-files no
dir /var/lib/redis
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-diskless-load disabled
repl-disable-tcp-nodelay no
replica-priority 100
acllog-max-len 128
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
lazyfree-lazy-user-del no
oom-score-adj no
oom-score-adj-values 0 200 800
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
jemalloc-bg-thread yes
aclfile /etc/redis/acl
tls-port 6379
tls-ca-cert-file /etc/pki/tls/certs/ca-bundle.crt
tls-key-file /etc/pki/tls/private/redis.key
tls-cert-file /etc/pki/tls/certs/redis_full.pem
tls-auth-clients optional
tls-protocols "TLSv1.2 TLSv1.3"
#tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
tls-session-caching no
tls-replication yes
tls-cluster yes
unixsocket /var/run/redis/redis.socke
unixsocketperm 660
tls-dh-params-file /etc/pki/tls/private/redis.dh
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256

Hi, I’m a bit confused by the usage of user/pass while your config does not have those set?

Hi @skjnldsv this line is the trick:

aclfile /etc/redis/acl

With this line you instruct redis to read the user/passwords from an external file. This will be used, when you use an config management system like puppet. So that the user management can be spilt out from the main config file.

Thanks,

But can you connect to your redis server without providing the certificates?

Yes, I only send the user/password true the tls connection without presenting an client certificate.
This will be another authentication option.(passwort+user+certificate)