-
Notifications
You must be signed in to change notification settings - Fork 979
SSL Connections
Lettuce supports SSL connections since version 3.1 on Redis Standalone connections and since version 4.2 on Redis Cluster. Redis has no native SSL support, SSL is implemented usually by using stunnel.
An example stunnel configuration can look like:
cert=/etc/ssl/cert.pem key=/etc/ssl/key.pem capath=/etc/ssl/cert.pem cafile=/etc/ssl/cert.pem delay=yes pid=/etc/ssl/stunnel.pid foreground = no [redis] accept = 127.0.0.1:6443 connect = 127.0.0.1:6479
Next step is connecting lettuce over SSL to Redis.
RedisURI
RedisURI redisUri = RedisURI.Builder.redis("localhost")
.withSsl(true)
.withPassword("authentication")
.withDatabase(2)
.build();
RedisClient client = RedisClient.create(redisUri);
RedisURI
RedisURI redisUri = RedisURI.create("rediss://authentication@localhost/2");
RedisClient client = RedisClient.create(redisUri);
RedisURI
RedisURI redisUri = RedisURI.Builder.redis("localhost")
.withSsl(true)
.withPassword("authentication")
.build();
RedisClusterClient client = RedisClusterClient.create(redisUri);
Lettuce supports SSL only on Redis Standalone and Redis Cluster connections and since 5.2, also for Upstream resolution using Redis Sentinel or Redis Upstream/Replicas.
When connecting using SSL, lettuce performs an SSL handshake before you can use the connection. Plain text connections do not perform a handshake. Errors during the handshake throw RedisConnectionException
s.
Reconnection behavior is also different to plain text connections. If an SSL handshake fails on reconnect (because of peer/certification verification or peer does not talk SSL) reconnection will be disabled for the connection. You will also find an error log entry within your logs.
lettuce uses Java defaults for the trust store that is usually cacerts
in your jre/lib/security
directory and comes with customizable SSL options via Client options. If you need to add you own root certificate, so you can configure SslOptions
, import it either to cacerts
or you provide an own trust store and set the necessary system properties:
SslOptions
via Client optionsSslOptions sslOptions = SslOptions.builder()
.jdkSslProvider()
.truststore(new File("yourtruststore.jks"), "changeit")
.build();
ClientOptions clientOptions = ClientOptions.builder().sslOptions(sslOptions).build();
System.setProperty("javax.net.ssl.trustStore", "yourtruststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
By default, lettuce verifies the certificate against the validity and the common name (Name validation not supported on Java 1.6, only available on Java 1.7 and higher) of the Redis host you are connecting to. This behavior can be turned off:
RedisURI redisUri = ...
redisUri.setVerifyPeer(false);
or
RedisURI redisUri = RedisURI.Builder.redis(host(), sslPort())
.withSsl(true)
.withVerifyPeer(false)
.build();
If you need to issue a StartTLS before you can use SSL, set the startTLS
property of RedisURI
to true
. StartTLS is disabled by default.
RedisURI redisUri = ...
redisUri.setStartTls(true);
or
RedisURI redisUri = RedisURI.Builder.redis(host(), sslPort())
.withSsl(true)
.withStartTls(true)
.build();
Lettuce documentation was moved to https://redis.github.io/lettuce/overview/
Intro
Getting started
- Getting started
- Redis URI and connection details
- Basic usage
- Asynchronous API
- Reactive API
- Publish/Subscribe
- Transactions/Multi
- Scripting and Functions
- Redis Command Interfaces
- FAQ
HA and Sharding
Advanced usage
- Configuring Client resources
- Client Options
- Dynamic Command Interfaces
- SSL Connections
- Native Transports
- Unix Domain Sockets
- Streaming API
- Events
- Command Latency Metrics
- Tracing
- Stateful Connections
- Pipelining/Flushing
- Connection Pooling
- Graal Native Image
- Custom commands
Integration and Extension
Internals