Skip to content

TLS: Add different client cert support.#8076

Merged
yossigo merged 3 commits intoredis:unstablefrom
yossigo:add-tls-client-cert
Dec 11, 2020
Merged

TLS: Add different client cert support.#8076
yossigo merged 3 commits intoredis:unstablefrom
yossigo:add-tls-client-cert

Conversation

@yossigo
Copy link
Collaborator

@yossigo yossigo commented Nov 22, 2020

This adds a new tls-client-cert-file and tls-client-key-file
configuration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.

This is an optional directive. If it is not specified the tls-cert-file
and tls-key-file directives are used for TLS client functions as well.

Fixes #7946

@yossigo
Create several types of certificates.
a663e3e 
In addition to the CA and generic certificate, the script now creates
client-only and server-only certificates.

Also, skip intensive operations if target files already exist.
@yossigo
TLS: Add different client cert support.
4a39955 
This adds a new tls-client-cert-file and tls-client-key-file
configuration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.

This is an optional directive. If it is not specified the tls-cert-file
and tls-key-file directives are used for TLS client functions as well.
@yossigo yossigo requested a review from oranagra November 24, 2020 12:07
oranagra
oranagra reviewed Dec 3, 2020
View reviewed changes
Copy link
Member

@oranagra oranagra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yossigo i don't know TLS the various configuration well enough.
i assume everything that you moved from tlsConfigure into the new createSSLContext are settings that should apply to both client and server, and that what's left in tlsConfigure after the first call to createSSLContext are things that apply only to the server.
in which case it all looks good to me.

one thing i noticed is that these lines now exist in both:

    SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

which means maybe they should be removed from tlsConfigure?
or alternatively, the second one seem to apply only to servers? so maybe needs to be removed from createSSLContext?

@yossigo
Copy link
Collaborator Author

yossigo commented Dec 3, 2020

@oranagra Yes, createSSLContext handles the common part. Those duplicate lines are a mistake, I'll push a fix.

@oranagra
Copy link
Member

oranagra commented Dec 4, 2020

@redis/core-team please approve the new configs

@oranagra oranagra added state:major-decision Requires core team consensus release-notes indication that this issue needs to be mentioned in the release notes labels Dec 8, 2020
@yossigo yossigo added the approval-needed Waiting for core team approval to be merged label Dec 10, 2020
@yossigo yossigo merged commit 8c291b9 into redis:unstable Dec 11, 2020
@yossigo yossigo deleted the add-tls-client-cert branch December 11, 2020 16:31
@oranagra oranagra mentioned this pull request Jan 13, 2021
Merged
JackieXie168 pushed a commit to JackieXie168/redis that referenced this pull request Mar 2, 2021
@yossigo
TLS: Add different client cert support. (redis#8076)
f674ead 
This adds a new `tls-client-cert-file` and `tls-client-key-file`
configuration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.

This is an optional directive. If it is not specified the `tls-cert-file`
and `tls-key-file` directives are used for TLS client functions as well.

Also, `utils/gen-test-certs.sh` now creates additional server-only and client-only certs and will skip intensive operations if target files already exist.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itamarhaber itamarhaber itamarhaber approved these changes

@oranagra oranagra oranagra approved these changes

Assignees

No one assigned

Labels

approval-needed Waiting for core team approval to be merged release-notes indication that this issue needs to be mentioned in the release notes state:major-decision Requires core team consensus

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[NEW] Replica TLS certificate

3 participants

@yossigo @oranagra @itamarhaber