SSL/TLS with certification file #1600
Comments
|
@bluemmb unfortunately there is no way to do this right now. |
|
@yatsukhnenko Thanks for the answer and the great work you have done on this repository. Is there a default path for the file ? or can I read the file and pass it as a parameter or something to the plugin ? ( because there should be a key for the encryption anyway ) I have written an app and put it on the ibm cloud for my client. Because this plugin lacks this feature I had to go with predis. It is also very good library but latency of cloud network (~ 0.9ms) + overhead of the plain php code causes an undesirable latency for using Redis ( as I am testing things since the last week, there is not much of a difference between using redis or mysql with these conditions ) + I should mention that I am not sure that if C code's speed can help on this ? Also I really like performance and I think it is not good that php lacks this important thing in the toolset. So do you have any suggestion ? Or is there any plan on doing this ? If neither, where can I start to work on helping to add this feature to this repo ? |
We use PHP stream wrapper so you may try to find default parameters somewhere in sources of PHP-engine.
It would be great to add ability to manage parameters of ssl/tls connections. We need to path them into |
|
You could use Spiped to make the connection secure. I have done it with master/slave and sentinels. https://www.tarsnap.com/spiped.html |
|
SSL/TLS is supported by Redis starting with version 6 as seen on https://redis.io/topics/encryption Would it be possible to implement this feature in phpredis now that it is supported by Redis itself? |
|
@bluemmb @gabfl could you test $r = new Redis();
$r->connect('tls://github.com', 443, 0, null, 0, 0, [
'local_cert' => '/path/to/cert.pem',
]); |
|
@yatsukhnenko Thank you very much for taking the time to write a patch, it is very appreciated I staged your branch: # Stage test branch
git clone https://github.com/phpredis/phpredis.git && cd phpredis
git fetch origin issue-1600
git checkout issue-1600And compiled phpredis from it: phpize
./configure
make && make install
echo "extension=redis.so" >> /etc/php/7.2/cli/conf.d/redis.iniI used this php snippet: <?php
$r = new Redis();
$r->connect('tls://127.0.0.1', 6379, 0, null, 0, 0, [
'local_cert' => '/root/redis-6.0.3/tests/tls/redis.crt',
'local_pk' => '/root/redis-6.0.3/tests/tls/redis.key',
'cafile' => '/root/redis-6.0.3/tests/tls/ca.crt',
'verify_peer_name' => false
]);
var_dump($r->set('test_tls', 'it works'));
var_dump($r->get('test_tls'));and it works: root@ubuntu-s-4vcpu-8gb-nyc1-01:~/phpredis# php phpredis.php
bool(true)
string(8) "it works"
root@ubuntu-s-4vcpu-8gb-nyc1-01:~/phpredis# 🎉 |
|
Would there be any way to use TLS and a CA certificate in php.ini (session.save_path)? |
|
@ywarnier could you create another issue for session+tls? |
|
Fixed in 5.3.0. |
|
@yatsukhnenko Issue #1775 is actually about that already. |
|
the example is not working, the correct way to use it is: Note the key 'stream'. Could not find this in the documentation. |
|
@dimovnike thanks! I made this example while Michael making his part related to acl. We will update documentation or maybe change api again 😄 |
|
It worked for me as provided, it might be related to the PHP version in use |
|
any idea why this client uses tlsv1 only? otherwise , the curl says it supports tlsv1.2. |
|
@dimovnike you can specify version |
|
@yatsukhnenko I can't find anything in the documentation about the tls/ssl stuff and how to pass the arguments correctly, do you have a link for me ? I encountered a inconsistency in this case, and I wondering why. If we use the class Redis, we need to pass the following arguments: But if we use the RedisCluster class we need to provide the same arguments without the stream key Could you explain, why this is the case ? |
|
@janackermann same thing here. Connecting to a cluster only works if you remove the 'stream' key. Took me quite some time to figure that out! Also has issues with connections freezing using |
This was initially added as part of 2.2.2, but was later removed in 2.2.3 while fixing PHP warnings related to the number of args being passed to pconnect (BoldGrid#533). After refactoring how Redis connection arguments are being calculated/passed, we can now support disabling TLS certificate verification when the installed version of phpredis supports it. phpredis added initial support for the stream context in version 5.3.0 (phpredis/phpredis#1600) and support for RedisCluster in 5.3.2.
…ned certificates (e.g., Heroku Redis) (#559) * Cache_Redis: remove restore_error_handler call from 2.2.2-rc.1 A custom error handler was added in this section of the code in 2.2.2-rc.1 (3d50386) that was later removed in the 2.2.3 release (5335b97), but the clean up call was missed. * Cache_Redis: DRY logic for computing Redis connection params Introduces a private _build_connect_args helper * Cache_Redis: improve logic for read_timeout connect param Support for the read_timeout connection param was added to phpredis in v3.1.3: phpredis/phpredis@b56dc49 * Cache_Redis: restore support for disabling TLS certificate verification This was initially added as part of 2.2.2, but was later removed in 2.2.3 while fixing PHP warnings related to the number of args being passed to pconnect (#533). After refactoring how Redis connection arguments are being calculated/passed, we can now support disabling TLS certificate verification when the installed version of phpredis supports it. phpredis added initial support for the stream context in version 5.3.0 (phpredis/phpredis#1600) and support for RedisCluster in 5.3.2. * ConfigCache: add ability to disable redis tls certificate verification This is a follow-on to #494 to extend support for the "verify TLS certificates" option to the feature that enables caching W3TC's config in redis. * Cache Plugins: update usage stats to respect verify_tls_certificates * Minor adjustments to meet coding standards * Full CS adjustments to all touched files Co-authored-by: jacobd91 <jacobd@inmotionhosting.com>
Expected behaviour
Connect to encrypted connection with certification file
Actual behaviour
--
I'm seeing this behaviour on
Steps to reproduce, backtrace or example script
--
I can see that connecting to encrypted connections is discussed and supported here #1314 and #1561, but still i don't know how to set the certification file path to this plugin ? am I missing something ?
The text was updated successfully, but these errors were encountered: