Redis configured for ssl/tls

[ds123]

Version 6 of redis supports TLS directly, but I am having trouble getting that to work. Their documentation emphasizes that there is a directive make BUILD_TLS=yes required.

I am trying to prove to myself that the setting BUILD_TLS is there, but I don't know enough to answer that question.

Looking in the ebuild redis-6.0.9.ebuild, nothing suggests a dependency on openssl.

When I try emerge -evp dev-db/redis, I can see that openssl is a precursor for it, so there is that.

Where should I look next?

Thanks for any help.

[alamahant]

Hi
from /etc/redis.conf

Code: Select all

# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
# tls-port 6379
# tls-cert-file redis.crt 
# tls-key-file redis.key
# tls-dh-params-file redis.dh
# tls-ca-cert-file ca.crt
# tls-ca-cert-dir /etc/ssl/certs
# tls-auth-clients no
# tls-replication yes
# tls-cluster yes
# tls-protocols "TLSv1.2 TLSv1.3"
# tls-ciphers DEFAULT:!MEDIUM
# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
# tls-prefer-server-ciphers yes
# tls-session-caching no
# tls-session-cache-size 5000
# tls-session-cache-timeout 60

[Hu]

Version 6 of redis supports TLS directly, but I am having trouble getting that to work. Their documentation emphasizes that there is a directive make BUILD_TLS=yes required.

The phrasing suggests that this would be an extra parameter passed to make at build time. If you do not see it in the ebuild, then the default from upstream would be used. Your post suggests to me that the upstream default is =no.

Looking in the ebuild redis-6.0.9.ebuild, nothing suggests a dependency on openssl.

Then either the ebuild dependency data is wrong, or the ebuild does not enable TLS.

When I try emerge -evp dev-db/redis, I can see that openssl is a precursor for it, so there is that.

Are you sure? -e is short for --emptytree, so dev-libs/openssl would be shown if redis, or anything required by redis, depended on it. Hypothetically, redis could depend on a helper package that uses HTTPS, and that helper could need openssl in order to use HTTPS. That would then cause openssl to be shown in -evp output, even though redis itself made no use of openssl. The simplest test, which is not perfect, but is usually right, would be to install redis and then inspect the lddtree output for it, to see if it loads openssl, either directly or indirectly. If you do not see openssl there, then I expect it probably does not have TLS support enabled in your build.